mydoom | e1440f2b7aa2f9611afbc15d655749ce99e0d7fef0f28a5a10fb9033c2cb9975

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
Size

48KB
MD5

abd1e1ea0a6edc0200605e6a4b8c0823
SHA1

4db49b8fb8fe1f91a3af9d0ab0a886b4bfb7cde6
SHA256

e1440f2b7aa2f9611afbc15d655749ce99e0d7fef0f28a5a10fb9033c2cb9975
SHA512

92675b8a0f2294959fdbb657c97c1a8257c8bfc40ef431f8294781837bddd4d89486aebe1916bf6411cff79f094d2c278c0eb5f66e43cb312cfc73c38e81ca42
SSDEEP

768:jv8IRRdsxq1DjJcqOmdGxDOmgd7w0ID9h7my9pNXczhUuV:DxRTsxq1DjCiQhOmgyNH7n9gauV

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/1696-56-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral1/memory/2036-60-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral1/memory/2640-64-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral1/memory/2640-566-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral1/memory/2640-630-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral1/memory/2640-677-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
5164	services.exe
2640	java.exe
4216	services.exe
2420	services.exe
4632	services.exe
4588	services.exe
2036	java.exe
2796	services.exe
3596	services.exe
4732	services.exe
3076	services.exe
5920	services.exe
852	services.exe
964	services.exe
6048	services.exe
4652	services.exe
3348	services.exe
2440	services.exe
1304	services.exe
6060	services.exe
2764	services.exe
2044	services.exe
5380	services.exe
2900	services.exe
3316	services.exe
1836	services.exe
5956	services.exe
4132	services.exe
400	services.exe
5856	services.exe
4388	services.exe
4764	services.exe
3068	services.exe
6132	services.exe
2312	services.exe
5132	services.exe
4056	services.exe
1868	services.exe
3824	services.exe
2380	services.exe
408	services.exe
6176	services.exe
6184	services.exe
6308	services.exe
6320	services.exe
6460	services.exe
6524	services.exe
6632	services.exe
6708	services.exe
6716	services.exe
6780	services.exe
6964	services.exe
6980	services.exe
7108	services.exe
6416	services.exe
6408	services.exe
7008	services.exe
7200	services.exe
7252	services.exe
7272	services.exe
7424	services.exe
7440	services.exe
7568	services.exe
7576	services.exe

Loads dropped DLL 3 IoCs

pid	Process
1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
2640	java.exe
2036	java.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcmgcd32.dll	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\Windows\SysWOW64\vcmgcd32.dl_	java.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dll	java.exe
File opened for modification	C:\Windows\SysWOW64\vcmgcd32.dl_	java.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dll	java.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dl_	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-0-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral1/files/0x000700000002430d-12.dat	upx
behavioral1/memory/5164-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000800000002430e-22.dat	upx
behavioral1/memory/4216-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2420-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4632-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-56-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/2036-60-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/3596-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2640-64-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/5164-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4732-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2420-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4632-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/852-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4652-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6048-92-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4588-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-98-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3348-97-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3076-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2764-109-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2044-116-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5920-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5380-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/964-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6048-126-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3316-127-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1836-132-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3348-135-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2440-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1304-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5856-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4388-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2764-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4764-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5380-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2900-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1836-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4056-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5956-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1868-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4132-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2380-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3824-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/400-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4388-173-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6184-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6132-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6320-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2312-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6460-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5132-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6524-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4056-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1868-191-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6632-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6716-196-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6780-200-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/408-199-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6708-195-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe
File opened for modification	C:\WINDOWS\JAVA.EXE	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\WINDOWS\SERVICES.EXE	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File created	C:\Windows\services.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File created	C:\Windows\java.exe	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
File created	C:\Windows\services.exe	java.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
2640	java.exe
2640	java.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
20320	Process not Found
20256	Process not Found
20252	Process not Found
20268	Process not Found
20240	Process not Found
18712	Process not Found
20348	Process not Found
616	Process not Found
3116	Process not Found
16744	Process not Found
19176	Process not Found
20380	Process not Found
10720	Process not Found
20340	Process not Found
18636	Process not Found
796	Process not Found
18756	Process not Found
844	Process not Found
7688	Process not Found
20368	Process not Found
6028	Process not Found
792	Process not Found
3264	Process not Found
19040	Process not Found
18720	Process not Found
5404	Process not Found
3196	Process not Found
9748	Process not Found
4688	Process not Found
3352	Process not Found
4316	Process not Found
6052	Process not Found
2928	Process not Found
392	Process not Found
20336	Process not Found
20404	Process not Found
3996	Process not Found
20356	Process not Found
20420	Process not Found
20416	Process not Found
220	Process not Found
5372	Process not Found
5136	Process not Found
20464	Process not Found
14856	Process not Found
5884	Process not Found
4604	Process not Found
4772	Process not Found
2784	Process not Found
2372	Process not Found
4736	Process not Found
4988	Process not Found
4952	Process not Found
4868	Process not Found
20432	Process not Found
20444	Process not Found
5656	Process not Found
15036	Process not Found
20456	Process not Found
20440	Process not Found
6012	Process not Found
3504	Process not Found
2428	Process not Found
3972	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	5868	dwm.exe
Token: SeChangeNotifyPrivilege	5868	dwm.exe
Token: 33	5868	dwm.exe
Token: SeIncBasePriorityPrivilege	5868	dwm.exe
Token: SeCreateGlobalPrivilege	19484	dwm.exe
Token: SeChangeNotifyPrivilege	19484	dwm.exe
Token: 33	19484	dwm.exe
Token: SeIncBasePriorityPrivilege	19484	dwm.exe
Token: SeCreateGlobalPrivilege	19972	dwm.exe
Token: SeChangeNotifyPrivilege	19972	dwm.exe
Token: 33	19972	dwm.exe
Token: SeIncBasePriorityPrivilege	19972	dwm.exe
Token: SeCreateGlobalPrivilege	20064	dwm.exe
Token: SeChangeNotifyPrivilege	20064	dwm.exe
Token: 33	20064	dwm.exe
Token: SeIncBasePriorityPrivilege	20064	dwm.exe
Token: SeCreateGlobalPrivilege	20172	dwm.exe
Token: SeChangeNotifyPrivilege	20172	dwm.exe
Token: 33	20172	dwm.exe
Token: SeIncBasePriorityPrivilege	20172	dwm.exe
Token: SeCreateGlobalPrivilege	20240	dwm.exe
Token: SeChangeNotifyPrivilege	20240	dwm.exe
Token: 33	20240	dwm.exe
Token: SeIncBasePriorityPrivilege	20240	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 5164	1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe	87
PID 1696 wrote to memory of 5164	1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe	87
PID 1696 wrote to memory of 5164	1696	JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe	87
PID 5596 wrote to memory of 2640	5596	cmd.exe	94
PID 5596 wrote to memory of 2640	5596	cmd.exe	94
PID 5596 wrote to memory of 2640	5596	cmd.exe	94
PID 2640 wrote to memory of 4216	2640	java.exe	95
PID 2640 wrote to memory of 4216	2640	java.exe	95
PID 2640 wrote to memory of 4216	2640	java.exe	95
PID 5012 wrote to memory of 2420	5012	cmd.exe	100
PID 5012 wrote to memory of 2420	5012	cmd.exe	100
PID 5012 wrote to memory of 2420	5012	cmd.exe	100
PID 5180 wrote to memory of 4632	5180	cmd.exe	103
PID 5180 wrote to memory of 4632	5180	cmd.exe	103
PID 5180 wrote to memory of 4632	5180	cmd.exe	103
PID 4892 wrote to memory of 4588	4892	cmd.exe	106
PID 4892 wrote to memory of 4588	4892	cmd.exe	106
PID 4892 wrote to memory of 4588	4892	cmd.exe	106
PID 5744 wrote to memory of 2036	5744	cmd.exe	107
PID 5744 wrote to memory of 2036	5744	cmd.exe	107
PID 5744 wrote to memory of 2036	5744	cmd.exe	107
PID 4428 wrote to memory of 2796	4428	cmd.exe	110
PID 4428 wrote to memory of 2796	4428	cmd.exe	110
PID 4428 wrote to memory of 2796	4428	cmd.exe	110
PID 4612 wrote to memory of 3596	4612	cmd.exe	111
PID 4612 wrote to memory of 3596	4612	cmd.exe	111
PID 4612 wrote to memory of 3596	4612	cmd.exe	111
PID 2488 wrote to memory of 4732	2488	cmd.exe	116
PID 2488 wrote to memory of 4732	2488	cmd.exe	116
PID 2488 wrote to memory of 4732	2488	cmd.exe	116
PID 4820 wrote to memory of 3076	4820	cmd.exe	121
PID 4820 wrote to memory of 3076	4820	cmd.exe	121
PID 4820 wrote to memory of 3076	4820	cmd.exe	121
PID 536 wrote to memory of 5920	536	cmd.exe	122
PID 536 wrote to memory of 5920	536	cmd.exe	122
PID 536 wrote to memory of 5920	536	cmd.exe	122
PID 5996 wrote to memory of 852	5996	cmd.exe	127
PID 5996 wrote to memory of 852	5996	cmd.exe	127
PID 5996 wrote to memory of 852	5996	cmd.exe	127
PID 2660 wrote to memory of 964	2660	cmd.exe	128
PID 2660 wrote to memory of 964	2660	cmd.exe	128
PID 2660 wrote to memory of 964	2660	cmd.exe	128
PID 528 wrote to memory of 6048	528	cmd.exe	133
PID 528 wrote to memory of 6048	528	cmd.exe	133
PID 528 wrote to memory of 6048	528	cmd.exe	133
PID 4660 wrote to memory of 4652	4660	cmd.exe	134
PID 4660 wrote to memory of 4652	4660	cmd.exe	134
PID 4660 wrote to memory of 4652	4660	cmd.exe	134
PID 1620 wrote to memory of 2440	1620	cmd.exe	139
PID 4908 wrote to memory of 3348	4908	cmd.exe	140
PID 1620 wrote to memory of 2440	1620	cmd.exe	139
PID 1620 wrote to memory of 2440	1620	cmd.exe	139
PID 4908 wrote to memory of 3348	4908	cmd.exe	140
PID 4908 wrote to memory of 3348	4908	cmd.exe	140
PID 5096 wrote to memory of 6060	5096	cmd.exe	146
PID 5096 wrote to memory of 6060	5096	cmd.exe	146
PID 5096 wrote to memory of 6060	5096	cmd.exe	146
PID 2840 wrote to memory of 1304	2840	cmd.exe	145
PID 2840 wrote to memory of 1304	2840	cmd.exe	145
PID 2840 wrote to memory of 1304	2840	cmd.exe	145
PID 6100 wrote to memory of 2764	6100	cmd.exe	151
PID 6100 wrote to memory of 2764	6100	cmd.exe	151
PID 6100 wrote to memory of 2764	6100	cmd.exe	151
PID 928 wrote to memory of 2044	928	cmd.exe	156

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abd1e1ea0a6edc0200605e6a4b8c0823.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5596
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5744
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6100
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3732
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4264
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5640
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6380
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6808
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6860
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7044
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7264
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7368
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8148
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:8716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8440
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8628
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8752
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:9496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9048
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9128
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8860
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9572
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:9996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9956
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10264
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10408
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10772
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10780
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11072
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2392
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10732
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11400
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11584
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11628
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12408
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13316
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13700
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:15000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13968
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:15084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14780
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5668

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16932
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18204
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18900
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12108
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19580

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:19484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19868
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20284

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:19972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19992

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:20064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:20172

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:20240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20356

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:20432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:14000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19836

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:19496

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:14996

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:19584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:20296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:20272

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxw0O.log

Filesize
1KB

MD5
968cf92ddaa45a3e1a253be68f347069

SHA1
f639f54445e2a5f286530144ed8358f58b245117

SHA256
fdfd3c1b9c3ebb4fc00b9f2696df00a034ab62ecc94654c95343328a658f7cc1

SHA512
93adeebd2a89fa7f39d4c2bc4f20f13ea14e5987f3b3e05ead17bc4f6a24161065c06775e62af540c9207bf1db63dc1e224f9c354575be169d9fbaa098a960f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp376.tmp

Filesize
48KB

MD5
005c4c357da380c59047192ab45f70d9

SHA1
361550589e73c350ebffceb53dea00ea6b93fd41

SHA256
a9a0d2e098828ebc625332d95449289ffd401efc39ea3ff60823e84c27cc5b31

SHA512
b15fe18c1b97e0cd86728f39c3b3a1c444abca9bfa4c3a32ea49218f017a8a19ff11d8a247b2db6a84ad7af6e44364f35e1437e8a407f497c44f911ff219dc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
e63a355b12953ff6aca945972a9b6b62

SHA1
f612d7c7ad4056c1143c0019833fbd779387995f

SHA256
4f59a73a7746c6518837da7d1f1512c869b3b3ff3239afb09fd78fd5ff22b6b8

SHA512
74048b08768d9dcdc2d49b228d9f0b2edc68be23163eaad818e79144919cbdb545afa04e1fe5d323a51702555ff4c50b0b1d1aec4dc9c545d83c407361f85523

Download Submit
C:\Windows\SysWOW64\vcmgcd32.dl_

Filesize
17KB

MD5
65ec81c36efd75f8e4490b0d42aa2ced

SHA1
9be34710a967a4ecd5a7e6be0568bf8e2d9be007

SHA256
021dde0dc1ee1a9fd800a889885e91f345acc916fb852850f0adb0257903fa04

SHA512
7ece65926ca500015b0722e2c0d071124dc951accad36390a4aee62da72ecf592e54ff815e5de056696102a6a397d6b9c5d59e263efee7e1582e303348194bdd

Download Submit
C:\Windows\SysWOW64\vcmgcd32.dll

Filesize
36KB

MD5
ae22ca9f11ade8e362254b452cc07f78

SHA1
4b3cb548c547d3be76e571e0579a609969b05975

SHA256
20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

SHA512
9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

Download Submit
C:\Windows\java.exe

Filesize
48KB

MD5
abd1e1ea0a6edc0200605e6a4b8c0823

SHA1
4db49b8fb8fe1f91a3af9d0ab0a886b4bfb7cde6

SHA256
e1440f2b7aa2f9611afbc15d655749ce99e0d7fef0f28a5a10fb9033c2cb9975

SHA512
92675b8a0f2294959fdbb657c97c1a8257c8bfc40ef431f8294781837bddd4d89486aebe1916bf6411cff79f094d2c278c0eb5f66e43cb312cfc73c38e81ca42

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/400-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/408-199-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/852-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1304-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1696-56-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/1696-7-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1696-0-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/1836-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1836-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1868-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1868-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2036-57-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2036-60-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/2044-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2312-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2420-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2420-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2440-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2640-29-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2640-64-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/2640-566-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/2640-630-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/2640-677-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/2764-109-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2764-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2796-98-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2900-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3316-127-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3348-97-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3348-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3596-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3824-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4056-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4056-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4132-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4216-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4632-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4632-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4652-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4764-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5132-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-565-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-290-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-522-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5164-628-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5380-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5380-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5856-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5920-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5956-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6048-126-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6048-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6132-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6176-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6184-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6308-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6320-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6320-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6408-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6416-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6416-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6460-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6524-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6524-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6632-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6708-195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6716-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6780-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6964-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6980-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7008-234-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7108-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7200-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7252-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7272-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7424-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7440-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7440-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7568-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7576-250-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7576-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7760-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7768-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7768-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7924-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7932-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8108-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8128-243-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8160-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8184-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8300-253-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/17544-625-0x00007FF68C5C0000-0x00007FF68C627000-memory.dmp

Filesize
412KB

Download