blackshades | 28d30860f1248c967078e542d82db9ceac71e97084cffc49d3a5c4b20153eeae

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe
Size

402KB
MD5

9d34f75fee7cdd54510b8bed9975d6ed
SHA1

d828ae2dde1ee37ab670d4a7f40844b99250ff7c
SHA256

28d30860f1248c967078e542d82db9ceac71e97084cffc49d3a5c4b20153eeae
SHA512

f4056fc7dee99503ee9035e818e19be48425ad6e581a266a63da28407ed8a0ea196ffb12884b1ea275e58634417b050f515ba0439ea0fac485891c5f8b84f5aa
SSDEEP

6144:0ScZlR/7Us+iDZjdd4cRUH+8PNknqky0KJJaWYWMUJ47hcS5nF5VHzl1YrMg9kvV:ls+id7uPSthrCoZHzQH9c/CbG

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 18 IoCs

resource	yara_rule
behavioral1/memory/972-17-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/972-13-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/3200-32-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/5968-40-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/872-48-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/5324-56-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/5632-66-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/5892-74-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/4188-82-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/1720-90-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/972-98-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2300-99-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/6128-107-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/6076-115-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/6056-123-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/1556-131-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/3708-139-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/3456-150-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\UPdated1.exe = "C:\\Users\\Admin\\AppData\\Roaming\\UPdated1.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch\\Service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Javaz.exe
972	Service.exe
4128	Javaz.exe
3200	Service.exe
5968	Service.exe
872	Service.exe
5324	Service.exe
208	Javaz.exe
5632	Service.exe
5892	Service.exe
4188	Service.exe
1720	Service.exe
2300	Service.exe
6128	Service.exe
6076	Service.exe
6056	Service.exe
1556	Service.exe
3708	Service.exe
2120	Javaz.exe
3456	Service.exe
2272	Service.exe
1564	Service.exe
5072	Service.exe
4144	Service.exe
644	Service.exe
5640	Service.exe
2328	Service.exe
928	Service.exe
5544	Service.exe
4052	Service.exe
2096	Service.exe
4628	Javaz.exe
2648	Service.exe
4796	Service.exe
4220	Service.exe
5604	Service.exe
4652	Service.exe
4756	Service.exe
5560	Service.exe
3672	Service.exe
3628	Service.exe
5352	Service.exe
4780	Service.exe
4976	Service.exe
1512	Service.exe
3036	Service.exe
5168	Javaz.exe
3316	Service.exe
2136	Service.exe
2588	Service.exe
3372	Service.exe
2972	Service.exe
3576	Service.exe
4864	Service.exe
1448	Service.exe
5204	Service.exe
4296	Service.exe
4280	Service.exe
3396	Service.exe
1924	Javaz.exe
400	Service.exe
2148	Service.exe
2708	Service.exe
1880	Service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Javaz = "C:\\Users\\Admin\\AppData\\Roaming\\Javaz.exe"	Javaz.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3192 set thread context of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 4308 set thread context of 3200	4308	Javaz.exe	113
PID 4308 set thread context of 5968	4308	Javaz.exe	114
PID 4308 set thread context of 872	4308	Javaz.exe	117
PID 4308 set thread context of 5324	4308	Javaz.exe	118
PID 4128 set thread context of 5632	4128	Javaz.exe	122
PID 4128 set thread context of 5892	4128	Javaz.exe	123
PID 4128 set thread context of 4188	4128	Javaz.exe	124
PID 4128 set thread context of 1720	4128	Javaz.exe	125
PID 4128 set thread context of 2300	4128	Javaz.exe	126
PID 4128 set thread context of 6128	4128	Javaz.exe	127
PID 4128 set thread context of 6076	4128	Javaz.exe	128
PID 4128 set thread context of 6056	4128	Javaz.exe	129
PID 4128 set thread context of 1556	4128	Javaz.exe	131
PID 208 set thread context of 3708	208	Javaz.exe	133
PID 4128 set thread context of 3456	4128	Javaz.exe	135
PID 208 set thread context of 2272	208	Javaz.exe	136
PID 4128 set thread context of 1564	4128	Javaz.exe	137
PID 208 set thread context of 5072	208	Javaz.exe	138
PID 208 set thread context of 4144	208	Javaz.exe	139
PID 4128 set thread context of 644	4128	Javaz.exe	140
PID 4128 set thread context of 5640	4128	Javaz.exe	141
PID 4128 set thread context of 2328	4128	Javaz.exe	142
PID 4128 set thread context of 928	4128	Javaz.exe	143
PID 4128 set thread context of 5544	4128	Javaz.exe	144
PID 4128 set thread context of 4052	4128	Javaz.exe	145
PID 2120 set thread context of 2096	2120	Javaz.exe	148
PID 4128 set thread context of 2648	4128	Javaz.exe	150
PID 2120 set thread context of 4796	2120	Javaz.exe	151
PID 4128 set thread context of 4220	4128	Javaz.exe	152
PID 2120 set thread context of 5604	2120	Javaz.exe	153
PID 4128 set thread context of 4652	4128	Javaz.exe	154
PID 2120 set thread context of 4756	2120	Javaz.exe	155
PID 4128 set thread context of 5560	4128	Javaz.exe	156
PID 2120 set thread context of 3672	2120	Javaz.exe	157
PID 4128 set thread context of 3628	4128	Javaz.exe	158
PID 2120 set thread context of 5352	2120	Javaz.exe	159
PID 4128 set thread context of 4780	4128	Javaz.exe	160
PID 2120 set thread context of 4976	2120	Javaz.exe	161
PID 2120 set thread context of 1512	2120	Javaz.exe	162
PID 2120 set thread context of 3036	2120	Javaz.exe	163
PID 4628 set thread context of 3316	4628	Javaz.exe	167
PID 2120 set thread context of 2136	2120	Javaz.exe	168
PID 4628 set thread context of 2588	4628	Javaz.exe	169
PID 2120 set thread context of 3372	2120	Javaz.exe	170
PID 4628 set thread context of 2972	4628	Javaz.exe	171
PID 2120 set thread context of 3576	2120	Javaz.exe	172
PID 2120 set thread context of 4864	2120	Javaz.exe	173
PID 2120 set thread context of 1448	2120	Javaz.exe	174
PID 2120 set thread context of 5204	2120	Javaz.exe	175
PID 2120 set thread context of 4296	2120	Javaz.exe	176
PID 2120 set thread context of 4280	2120	Javaz.exe	177
PID 5168 set thread context of 3396	5168	Javaz.exe	180
PID 2120 set thread context of 400	2120	Javaz.exe	182
PID 5168 set thread context of 2148	5168	Javaz.exe	184
PID 5168 set thread context of 2708	5168	Javaz.exe	185
PID 5168 set thread context of 1880	5168	Javaz.exe	186
PID 1924 set thread context of 896	1924	Javaz.exe	190
PID 1924 set thread context of 1144	1924	Javaz.exe	192
PID 1924 set thread context of 2088	1924	Javaz.exe	193
PID 1924 set thread context of 4428	1924	Javaz.exe	194
PID 1924 set thread context of 4572	1924	Javaz.exe	196
PID 1924 set thread context of 1412	1924	Javaz.exe	197
PID 1924 set thread context of 4440	1924	Javaz.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4760	reg.exe
2708	reg.exe
1104	reg.exe
2252	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4308	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
208	Javaz.exe
208	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
208	Javaz.exe
208	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
208	Javaz.exe
208	Javaz.exe
208	Javaz.exe
208	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
2120	Javaz.exe
2120	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
2120	Javaz.exe
2120	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
2120	Javaz.exe
2120	Javaz.exe
4128	Javaz.exe
4128	Javaz.exe
2120	Javaz.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe
Token: 1	972	Service.exe
Token: SeCreateTokenPrivilege	972	Service.exe
Token: SeAssignPrimaryTokenPrivilege	972	Service.exe
Token: SeLockMemoryPrivilege	972	Service.exe
Token: SeIncreaseQuotaPrivilege	972	Service.exe
Token: SeMachineAccountPrivilege	972	Service.exe
Token: SeTcbPrivilege	972	Service.exe
Token: SeSecurityPrivilege	972	Service.exe
Token: SeTakeOwnershipPrivilege	972	Service.exe
Token: SeLoadDriverPrivilege	972	Service.exe
Token: SeSystemProfilePrivilege	972	Service.exe
Token: SeSystemtimePrivilege	972	Service.exe
Token: SeProfSingleProcessPrivilege	972	Service.exe
Token: SeIncBasePriorityPrivilege	972	Service.exe
Token: SeCreatePagefilePrivilege	972	Service.exe
Token: SeCreatePermanentPrivilege	972	Service.exe
Token: SeBackupPrivilege	972	Service.exe
Token: SeRestorePrivilege	972	Service.exe
Token: SeShutdownPrivilege	972	Service.exe
Token: SeDebugPrivilege	972	Service.exe
Token: SeAuditPrivilege	972	Service.exe
Token: SeSystemEnvironmentPrivilege	972	Service.exe
Token: SeChangeNotifyPrivilege	972	Service.exe
Token: SeRemoteShutdownPrivilege	972	Service.exe
Token: SeUndockPrivilege	972	Service.exe
Token: SeSyncAgentPrivilege	972	Service.exe
Token: SeEnableDelegationPrivilege	972	Service.exe
Token: SeManageVolumePrivilege	972	Service.exe
Token: SeImpersonatePrivilege	972	Service.exe
Token: SeCreateGlobalPrivilege	972	Service.exe
Token: 31	972	Service.exe
Token: 32	972	Service.exe
Token: 33	972	Service.exe
Token: 34	972	Service.exe
Token: 35	972	Service.exe
Token: SeDebugPrivilege	4308	Javaz.exe
Token: SeDebugPrivilege	4128	Javaz.exe
Token: SeDebugPrivilege	208	Javaz.exe
Token: SeDebugPrivilege	2120	Javaz.exe
Token: SeDebugPrivilege	4628	Javaz.exe
Token: SeDebugPrivilege	5168	Javaz.exe
Token: SeDebugPrivilege	1924	Javaz.exe
Token: SeDebugPrivilege	5860	Javaz.exe
Token: SeDebugPrivilege	3936	Javaz.exe
Token: SeDebugPrivilege	5548	Javaz.exe
Token: SeDebugPrivilege	4992	Javaz.exe
Token: SeDebugPrivilege	772	Javaz.exe
Token: SeDebugPrivilege	6236	Javaz.exe
Token: SeDebugPrivilege	6368	Javaz.exe
Token: SeDebugPrivilege	6356	Javaz.exe
Token: SeDebugPrivilege	6508	Javaz.exe
Token: SeDebugPrivilege	7372	Javaz.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
972	Service.exe
972	Service.exe
972	Service.exe
972	Service.exe
3200	Service.exe
3200	Service.exe
5968	Service.exe
5968	Service.exe
872	Service.exe
872	Service.exe
5324	Service.exe
5324	Service.exe
5632	Service.exe
5632	Service.exe
5892	Service.exe
5892	Service.exe
4188	Service.exe
4188	Service.exe
1720	Service.exe
1720	Service.exe
2300	Service.exe
2300	Service.exe
6128	Service.exe
6128	Service.exe
6076	Service.exe
6076	Service.exe
6056	Service.exe
6056	Service.exe
1556	Service.exe
1556	Service.exe
3708	Service.exe
3708	Service.exe
3456	Service.exe
3456	Service.exe
2272	Service.exe
2272	Service.exe
1564	Service.exe
1564	Service.exe
5072	Service.exe
5072	Service.exe
4144	Service.exe
644	Service.exe
4144	Service.exe
644	Service.exe
5640	Service.exe
5640	Service.exe
2328	Service.exe
2328	Service.exe
928	Service.exe
928	Service.exe
5544	Service.exe
5544	Service.exe
4052	Service.exe
4052	Service.exe
2096	Service.exe
2096	Service.exe
2648	Service.exe
2648	Service.exe
4796	Service.exe
4796	Service.exe
4220	Service.exe
4220	Service.exe
5604	Service.exe
5604	Service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4308	4684	cmd.exe	95
PID 4684 wrote to memory of 4308	4684	cmd.exe	95
PID 4684 wrote to memory of 4308	4684	cmd.exe	95
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 3192 wrote to memory of 972	3192	JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe	96
PID 972 wrote to memory of 2044	972	Service.exe	97
PID 972 wrote to memory of 2044	972	Service.exe	97
PID 972 wrote to memory of 2044	972	Service.exe	97
PID 972 wrote to memory of 4560	972	Service.exe	98
PID 972 wrote to memory of 4560	972	Service.exe	98
PID 972 wrote to memory of 4560	972	Service.exe	98
PID 972 wrote to memory of 1880	972	Service.exe	99
PID 972 wrote to memory of 1880	972	Service.exe	99
PID 972 wrote to memory of 1880	972	Service.exe	99
PID 972 wrote to memory of 1164	972	Service.exe	100
PID 972 wrote to memory of 1164	972	Service.exe	100
PID 972 wrote to memory of 1164	972	Service.exe	100
PID 2044 wrote to memory of 4760	2044	cmd.exe	105
PID 2044 wrote to memory of 4760	2044	cmd.exe	105
PID 2044 wrote to memory of 4760	2044	cmd.exe	105
PID 1880 wrote to memory of 2708	1880	cmd.exe	106
PID 1880 wrote to memory of 2708	1880	cmd.exe	106
PID 1880 wrote to memory of 2708	1880	cmd.exe	106
PID 1164 wrote to memory of 2252	1164	cmd.exe	107
PID 1164 wrote to memory of 2252	1164	cmd.exe	107
PID 1164 wrote to memory of 2252	1164	cmd.exe	107
PID 4560 wrote to memory of 1104	4560	cmd.exe	108
PID 4560 wrote to memory of 1104	4560	cmd.exe	108
PID 4560 wrote to memory of 1104	4560	cmd.exe	108
PID 5972 wrote to memory of 4128	5972	cmd.exe	112
PID 5972 wrote to memory of 4128	5972	cmd.exe	112
PID 5972 wrote to memory of 4128	5972	cmd.exe	112
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 3200	4308	Javaz.exe	113
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 5968	4308	Javaz.exe	114
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 872	4308	Javaz.exe	117
PID 4308 wrote to memory of 5324	4308	Javaz.exe	118
PID 4308 wrote to memory of 5324	4308	Javaz.exe	118

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d34f75fee7cdd54510b8bed9975d6ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
  C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\UPdated1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UPdated1.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\UPdated1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UPdated1.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5972
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5632
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6128
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6076
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6056
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:644
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5640
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5544
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:3224
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3708
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5604
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:3396
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5772
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6132
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5780
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5192
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6012
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5880
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5660
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5436
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5408
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6156
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6304
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6460
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6708
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6904
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7016
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7156
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6328
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6768
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6868
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6400
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6696
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6792
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6284
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6724
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6184
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7128
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:424
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7316
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7664
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5668
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5232
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5608
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:716
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6084
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1204
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2188
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3904
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5212
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6292
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6452
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6804
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6984
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7120
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6428
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6664
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6956
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5904
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6592
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6740
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7100
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4364
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6288
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6920
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6992
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5504
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6616
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5840
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7404
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7708
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8000
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1480
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7528
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8056
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5732
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5368
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5268
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3508
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3260
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5260
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6336
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6480
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6680
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6872
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7008
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7164
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6420
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6652
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6940
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7104
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6716
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6936
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6620
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6648
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6468
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6832
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7392
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7716
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8016
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7748
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7312
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7624
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7984
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7224
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7744
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7768
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8140
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8160
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7904
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8116
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8480
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8840
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7188
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8592
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9052
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8260
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9012
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8932
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4092
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8928
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9212
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9560
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9916
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8376
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10040
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9800
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8752
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7004
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6540
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10572
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10252
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10848
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11168
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:1900
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6268
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6500
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:1060
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:6236
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6476
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6656
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6556
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6732
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7036
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6276
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6752
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6196
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6780
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6604
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6568
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5832
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7420
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7728
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8008
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7268
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7568
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8152
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7532
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7448
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8096
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7888
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7912
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7200
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8520
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8956
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8252
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8532
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9172
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8216
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9140
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8272
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6204
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5148
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8308
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9132
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8312
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9644
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9964
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8584
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9616
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9840
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6528
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10188
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9236
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10556
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11004
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10432
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6560
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11088
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:7148
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:6368
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6220
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6764
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6760
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6472
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7132
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7080
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6776
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7084
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6372
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7460
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7808
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8040
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7300
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7644
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8084
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7548
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7204
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7956
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7540
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7172
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7896
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8504
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8884
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:32
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8556
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9116
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8244
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8920
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8340
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8820
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8280
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9136
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9568
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9924
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7520
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10076
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5920
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10004
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9952
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9688
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9444
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10600
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11140
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10840
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10920
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11240
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:6960
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6356
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6700
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7412
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7736
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8048
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7192
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7524
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8144
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7280
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7968
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7284
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5744
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7176
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7656
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7236
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8976
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7452
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8676
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9080
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8256
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8916
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8964
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8800
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8660
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6256
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8360
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9536
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9892
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6916
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9880
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9340
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9656
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7096
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9316
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6564
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10360
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10520
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10988
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10356
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9584
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11016
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:6788
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6508
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7440
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7792
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7348
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7432
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8080
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7616
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7944
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8104
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8172
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7752
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7472
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7676
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7240
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7328
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8540
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8832
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9184
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:2856
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:7372
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7860
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7304
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8168
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7272
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7180
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7584
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7832
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8124
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7480
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8488
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8856
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8576
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9072
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8400
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8292
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8620
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8684
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9148
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9168
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9000
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8248
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5492
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9552
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9908
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8728
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9824
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10064
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9232
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10068
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4408
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10292
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11232
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10472
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10656
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11204
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:7660
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:7996
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7684
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7588
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8180
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8496
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8848
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8264
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8732
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9096
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6884
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8284
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9180
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8628
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8696
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6584
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8624
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:7632
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:7360
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7828
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8512
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8876
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7764
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8792
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9064
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8384
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8596
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8692
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8112
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8368
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9600
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9932
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8868
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9708
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10024
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9836
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10112
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9508
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6192
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9248
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10580
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10864
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9344
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10676
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6228
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:5424
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:8444
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8420
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9044
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8336
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8904
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4920
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7704
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8948
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6552
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8604
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9196
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8648
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9780
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10012
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8724
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9640
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10228
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9764
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10212
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10144
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10316
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11112
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10464
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11048
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10328
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11244
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:8432
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:9016
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9004
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:9032
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:7496
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:8760
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5636
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9544
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9900
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9348
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9828
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9328
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9788
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9364
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7044
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9504
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10224
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10548
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10996
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10272
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10376
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11084
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:8780
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:9460
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9888
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9380
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10032
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9796
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9448
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10540
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11060
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10624
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11192
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10372
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11120
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:9848
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:10184
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:9668
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:7068
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:6576
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10564
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11024
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10336
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:732
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11128
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:8412
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:9384
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10428
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:11040
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:10896
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\Service.exe
    3⤵
    PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:9692
- C:\Users\Admin\AppData\Roaming\Javaz.exe
  C:\Users\Admin\AppData\Roaming\Javaz.exe
  2⤵
  PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Javaz.exe
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AppLaunch\Service.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Roaming\Javaz.exe

Filesize
402KB

MD5
9d34f75fee7cdd54510b8bed9975d6ed

SHA1
d828ae2dde1ee37ab670d4a7f40844b99250ff7c

SHA256
28d30860f1248c967078e542d82db9ceac71e97084cffc49d3a5c4b20153eeae

SHA512
f4056fc7dee99503ee9035e818e19be48425ad6e581a266a63da28407ed8a0ea196ffb12884b1ea275e58634417b050f515ba0439ea0fac485891c5f8b84f5aa

Download Submit
memory/872-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1556-131-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1720-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2300-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3192-24-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/3192-23-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/3192-1-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/3192-0-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/3192-2-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3456-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3708-139-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4188-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4308-9-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4308-7-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4308-62-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/5324-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5632-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5892-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5968-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6056-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6076-115-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6128-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download