blackshades | 2de2283881519bac29574cc024222b125543ac13f286b4f1eb9b907c4c6ab168

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
Size

348KB
MD5

9f4bf0acb58bc190bcdba6402bb57f83
SHA1

55535852792cdc844037d8ecf89b2522b583b91e
SHA256

2de2283881519bac29574cc024222b125543ac13f286b4f1eb9b907c4c6ab168
SHA512

8379ea28c8f149e4b0fe6b8c62d71e0d7fe290feaa2ff39b45e113e93dd51fc9632b03875a91ff562489bdd2009bac2820025e29656e690966830891c0aaa5c9
SSDEEP

6144:btdtljFT55CBeHLq2nSV6pZxa6uAmfZPyXVVB0rVc0oCPiCNjVriAWJl+:1ljFT55CkW2nZpvaPZPkVyVp6CNjVSl+

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 3 IoCs

resource	yara_rule
behavioral1/memory/1472-18-0x0000000000400000-0x000000000047A000-memory.dmp	family_blackshades
behavioral1/memory/1472-20-0x0000000000400000-0x000000000047A000-memory.dmp	family_blackshades
behavioral1/memory/1472-45-0x0000000000400000-0x000000000047A000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Audiodg.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe"	AppLaunch.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD6E8ED-AAC9-6FDE-DDB6-E42FC46BF0BE}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD6E8ED-AAC9-6FDE-DDB6-E42FC46BF0BE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe"	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CD6E8ED-AAC9-6FDE-DDB6-E42FC46BF0BE}	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CD6E8ED-AAC9-6FDE-DDB6-E42FC46BF0BE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe"	AppLaunch.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	vmnethcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	BioCredProv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	vmnethcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	vmnethcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	BioCredProv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	BioCredProv.exe

Deletes itself 1 IoCs

pid	Process
2832	BioCredProv.exe

Executes dropped EXE 64 IoCs

pid	Process
3672	explorer.exe
3440	vmnethcp.exe
3616	Audiodg.exe
888	Audiodg.exe
4804	Audiodg.exe
4716	Audiodg.exe
3592	Audiodg.exe
3848	Audiodg.exe
348	Audiodg.exe
3476	Audiodg.exe
2896	vmnethcp.exe
2832	BioCredProv.exe
1928	vmnethcp.exe
4952	Audiodg.exe
652	Audiodg.exe
1680	vmnethcp.exe
3836	vmnethcp.exe
4416	vmnethcp.exe
4576	vmnethcp.exe
4584	Audiodg.exe
1812	Audiodg.exe
3772	vmnethcp.exe
624	vmnethcp.exe
2520	vmnethcp.exe
2764	Audiodg.exe
3768	Audiodg.exe
1320	vmnethcp.exe
1684	vmnethcp.exe
4248	vmnethcp.exe
5128	vmnethcp.exe
5252	vmnethcp.exe
5296	Audiodg.exe
5332	Audiodg.exe
5440	explorer.exe
5576	Audiodg.exe
5584	Audiodg.exe
5748	Audiodg.exe
5756	Audiodg.exe
5928	Audiodg.exe
5936	Audiodg.exe
6068	Audiodg.exe
6080	Audiodg.exe
5332	Audiodg.exe
3636	Audiodg.exe
5020	vmnethcp.exe
5364	Audiodg.exe
4712	Audiodg.exe
2500	Audiodg.exe
5264	Audiodg.exe
3524	Audiodg.exe
2244	Audiodg.exe
464	vmnethcp.exe
1308	BioCredProv.exe
3032	vmnethcp.exe
3860	Audiodg.exe
4756	Audiodg.exe
3068	vmnethcp.exe
2200	vmnethcp.exe
5424	vmnethcp.exe
5500	Audiodg.exe
5484	Audiodg.exe
2276	vmnethcp.exe
5720	vmnethcp.exe
5784	vmnethcp.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Routing Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\vmnethcp.exe"	vmnethcp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3672 set thread context of 1472	3672	explorer.exe	101
PID 5440 set thread context of 5224	5440	explorer.exe	245
PID 3116 set thread context of 5584	3116	explorer.exe	363

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BioCredProv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnethcp.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2824	reg.exe
4980	reg.exe
4880	reg.exe
3056	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe
3672	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
Token: SeDebugPrivilege	3672	explorer.exe
Token: 1	1472	AppLaunch.exe
Token: SeCreateTokenPrivilege	1472	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	1472	AppLaunch.exe
Token: SeLockMemoryPrivilege	1472	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	1472	AppLaunch.exe
Token: SeMachineAccountPrivilege	1472	AppLaunch.exe
Token: SeTcbPrivilege	1472	AppLaunch.exe
Token: SeSecurityPrivilege	1472	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1472	AppLaunch.exe
Token: SeLoadDriverPrivilege	1472	AppLaunch.exe
Token: SeSystemProfilePrivilege	1472	AppLaunch.exe
Token: SeSystemtimePrivilege	1472	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1472	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1472	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1472	AppLaunch.exe
Token: SeCreatePermanentPrivilege	1472	AppLaunch.exe
Token: SeBackupPrivilege	1472	AppLaunch.exe
Token: SeRestorePrivilege	1472	AppLaunch.exe
Token: SeShutdownPrivilege	1472	AppLaunch.exe
Token: SeDebugPrivilege	1472	AppLaunch.exe
Token: SeAuditPrivilege	1472	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1472	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1472	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1472	AppLaunch.exe
Token: SeUndockPrivilege	1472	AppLaunch.exe
Token: SeSyncAgentPrivilege	1472	AppLaunch.exe
Token: SeEnableDelegationPrivilege	1472	AppLaunch.exe
Token: SeManageVolumePrivilege	1472	AppLaunch.exe
Token: SeImpersonatePrivilege	1472	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1472	AppLaunch.exe
Token: 31	1472	AppLaunch.exe
Token: 32	1472	AppLaunch.exe
Token: 33	1472	AppLaunch.exe
Token: 34	1472	AppLaunch.exe
Token: 35	1472	AppLaunch.exe
Token: SeDebugPrivilege	3440	vmnethcp.exe
Token: SeDebugPrivilege	2896	vmnethcp.exe
Token: SeDebugPrivilege	1928	vmnethcp.exe
Token: SeDebugPrivilege	1680	vmnethcp.exe
Token: SeDebugPrivilege	3836	vmnethcp.exe
Token: SeDebugPrivilege	4416	vmnethcp.exe
Token: SeDebugPrivilege	4576	vmnethcp.exe
Token: SeDebugPrivilege	3772	vmnethcp.exe
Token: SeDebugPrivilege	624	vmnethcp.exe
Token: SeDebugPrivilege	2520	vmnethcp.exe
Token: SeDebugPrivilege	1320	vmnethcp.exe
Token: SeDebugPrivilege	1684	vmnethcp.exe
Token: SeDebugPrivilege	4248	vmnethcp.exe
Token: SeDebugPrivilege	5128	vmnethcp.exe
Token: SeDebugPrivilege	5252	vmnethcp.exe
Token: SeDebugPrivilege	2832	BioCredProv.exe
Token: SeDebugPrivilege	5440	explorer.exe
Token: SeDebugPrivilege	5020	vmnethcp.exe
Token: SeDebugPrivilege	464	vmnethcp.exe
Token: SeDebugPrivilege	3032	vmnethcp.exe
Token: SeDebugPrivilege	3068	vmnethcp.exe
Token: SeDebugPrivilege	2200	vmnethcp.exe
Token: SeDebugPrivilege	5424	vmnethcp.exe
Token: SeDebugPrivilege	2276	vmnethcp.exe
Token: SeDebugPrivilege	5720	vmnethcp.exe
Token: SeDebugPrivilege	5784	vmnethcp.exe
Token: SeDebugPrivilege	5876	vmnethcp.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1472	AppLaunch.exe
1472	AppLaunch.exe
1472	AppLaunch.exe
1472	AppLaunch.exe
1472	AppLaunch.exe
5224	AppLaunch.exe
5224	AppLaunch.exe
1472	AppLaunch.exe
5584	AppLaunch.exe
5584	AppLaunch.exe
1472	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3672	3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe	99
PID 3940 wrote to memory of 3672	3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe	99
PID 3940 wrote to memory of 3672	3940	JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe	99
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 3672 wrote to memory of 1472	3672	explorer.exe	101
PID 1472 wrote to memory of 1308	1472	AppLaunch.exe	102
PID 1472 wrote to memory of 1308	1472	AppLaunch.exe	102
PID 1472 wrote to memory of 1308	1472	AppLaunch.exe	102
PID 1472 wrote to memory of 2740	1472	AppLaunch.exe	103
PID 1472 wrote to memory of 2740	1472	AppLaunch.exe	103
PID 1472 wrote to memory of 2740	1472	AppLaunch.exe	103
PID 1472 wrote to memory of 4708	1472	AppLaunch.exe	104
PID 1472 wrote to memory of 4708	1472	AppLaunch.exe	104
PID 1472 wrote to memory of 4708	1472	AppLaunch.exe	104
PID 1472 wrote to memory of 2852	1472	AppLaunch.exe	105
PID 1472 wrote to memory of 2852	1472	AppLaunch.exe	105
PID 1472 wrote to memory of 2852	1472	AppLaunch.exe	105
PID 3672 wrote to memory of 3440	3672	explorer.exe	114
PID 3672 wrote to memory of 3440	3672	explorer.exe	114
PID 3672 wrote to memory of 3440	3672	explorer.exe	114
PID 1308 wrote to memory of 4980	1308	cmd.exe	115
PID 1308 wrote to memory of 4980	1308	cmd.exe	115
PID 1308 wrote to memory of 4980	1308	cmd.exe	115
PID 4708 wrote to memory of 2824	4708	cmd.exe	116
PID 4708 wrote to memory of 2824	4708	cmd.exe	116
PID 4708 wrote to memory of 2824	4708	cmd.exe	116
PID 2740 wrote to memory of 4880	2740	cmd.exe	117
PID 2740 wrote to memory of 4880	2740	cmd.exe	117
PID 2740 wrote to memory of 4880	2740	cmd.exe	117
PID 1444 wrote to memory of 3616	1444	cmd.exe	118
PID 1444 wrote to memory of 3616	1444	cmd.exe	118
PID 1444 wrote to memory of 3616	1444	cmd.exe	118
PID 5008 wrote to memory of 888	5008	cmd.exe	119
PID 5008 wrote to memory of 888	5008	cmd.exe	119
PID 5008 wrote to memory of 888	5008	cmd.exe	119
PID 2852 wrote to memory of 3056	2852	cmd.exe	120
PID 2852 wrote to memory of 3056	2852	cmd.exe	120
PID 2852 wrote to memory of 3056	2852	cmd.exe	120
PID 2076 wrote to memory of 4804	2076	cmd.exe	125
PID 2076 wrote to memory of 4804	2076	cmd.exe	125
PID 2076 wrote to memory of 4804	2076	cmd.exe	125
PID 2440 wrote to memory of 4716	2440	cmd.exe	126
PID 2440 wrote to memory of 4716	2440	cmd.exe	126
PID 2440 wrote to memory of 4716	2440	cmd.exe	126
PID 2108 wrote to memory of 3592	2108	cmd.exe	137
PID 2108 wrote to memory of 3592	2108	cmd.exe	137
PID 2108 wrote to memory of 3592	2108	cmd.exe	137
PID 5072 wrote to memory of 3848	5072	cmd.exe	138
PID 5072 wrote to memory of 3848	5072	cmd.exe	138
PID 5072 wrote to memory of 3848	5072	cmd.exe	138
PID 1812 wrote to memory of 348	1812	cmd.exe	143
PID 1812 wrote to memory of 348	1812	cmd.exe	143
PID 1812 wrote to memory of 348	1812	cmd.exe	143
PID 1308 wrote to memory of 3476	1308	cmd.exe	144
PID 1308 wrote to memory of 3476	1308	cmd.exe	144
PID 1308 wrote to memory of 3476	1308	cmd.exe	144
PID 4388 wrote to memory of 2896	4388	cmd.exe	147
PID 4388 wrote to memory of 2896	4388	cmd.exe	147
PID 4388 wrote to memory of 2896	4388	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f4bf0acb58bc190bcdba6402bb57f83.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Audiodg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Audiodg.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Audiodg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Audiodg.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe
      "C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe"
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2832
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5224
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4040
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4916
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4336
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:872
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4276
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:2544
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:1444
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:2612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5180
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5488
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5496
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5652
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5840
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5988
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1544
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:3148
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:348
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:3412
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5412
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - Executes dropped EXE
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2476
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:6028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1260
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1680
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:3400
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5164
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2476
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5952
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2536
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2840
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:8
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:3356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:1884
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5944
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5192
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1160
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
1⤵
PID:5524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:2536
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Audiodg.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\Audiodg.exe
  C:\Users\Admin\AppData\Roaming\Audiodg.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\explorer.exe.log

Filesize
405B

MD5
e67dda3c1f8802bb1a6eaa9cf76d93fd

SHA1
5b668acd27fbcc0c79b08df74f3adfc11edc1caf

SHA256
52b222a900787b031aeef7a434893d0c43f080d36edfecd8e5723983daae975f

SHA512
fcd302a441c804471c55f8c9a39ab24f0165462f141f44a9c1e401ec68170d6a40894a102046c575b00c4826d54fe9bd970f409fbf065d59fb7c2ca80f06755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vmnethcp.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Audiodg.exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
348KB

MD5
9f4bf0acb58bc190bcdba6402bb57f83

SHA1
55535852792cdc844037d8ecf89b2522b583b91e

SHA256
2de2283881519bac29574cc024222b125543ac13f286b4f1eb9b907c4c6ab168

SHA512
8379ea28c8f149e4b0fe6b8c62d71e0d7fe290feaa2ff39b45e113e93dd51fc9632b03875a91ff562489bdd2009bac2820025e29656e690966830891c0aaa5c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vmnethcp.exe

Filesize
7KB

MD5
4eee01103603d6eabf509c31217cabe5

SHA1
05b112a6c816f8b5751254fba8097b183a048a9a

SHA256
c83c075c58eab7efd6544124c87ef4770bd6be5a4b5b21ee2cf9843f63348807

SHA512
ab688177bd3b60509b4cb996697e14107b6f0599a40783750a4c978ede44a287196ca87fd2bf6fcf18a553635d4bc50ad1036314fb95968799cc60a9d5a64cbc

Download Submit
memory/1472-18-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1472-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1472-20-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3672-11-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3672-13-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3672-9-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3672-8-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3672-74-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3940-12-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3940-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3940-6-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3940-5-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3940-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3940-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download