darkcomet | c496be4729da4a43a85535f703376300daf37aa4b4afdc152e458a2d19252635

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Size

887KB
MD5

b02a280100658dac180fb724e5795d63
SHA1

463c0bfb9bf373fde8cab6c1569bfc935e29217b
SHA256

c496be4729da4a43a85535f703376300daf37aa4b4afdc152e458a2d19252635
SHA512

6ea78c90c90ebd7bb45fbd784e666a3a1efbcc9bea6d7c23c90528c742dc8b2546d8efe1dd9894d1ed5fe4b830c3d112f2079e4d2f2856d3dc0bbf051789083d
SSDEEP

24576:nrmYMFbtiJ2j+ozNoVv4HRZs4zzE22OGPK0zm8o:EFAMGzz

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

donar5551122.no-ip.biz:2121

Mutex

DC_MUTEX-BNEJ40E

Attributes

gencode
=h2�+kUHEfLT
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 11584 created 12028	11584	WerFaultSecure.exe	1143

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe

Executes dropped EXE 64 IoCs

pid	Process
3056	winux.exe
5848	cdlave.exe
3168	winux.exe
1540	winux.exe
5208	cdlave.exe
6100	winux.exe
4292	cdlave.exe
5376	winux.exe
4592	cdlave.exe
4692	winux.exe
4700	cdlave.exe
4608	winux.exe
876	cdlave.exe
4596	winux.exe
4852	cdlave.exe
5024	winux.exe
1380	cdlave.exe
5800	winux.exe
4716	cdlave.exe
6028	winux.exe
5488	cdlave.exe
5736	winux.exe
4448	cdlave.exe
5112	winux.exe
5364	cdlave.exe
3400	winux.exe
5572	cdlave.exe
2348	winux.exe
5484	cdlave.exe
2512	winux.exe
2372	cdlave.exe
5776	cdlave.exe
5244	winux.exe
5184	winux.exe
2232	cdlave.exe
5732	winux.exe
5516	cdlave.exe
1972	winux.exe
4752	cdlave.exe
6068	cdlave.exe
3940	winux.exe
4032	winux.exe
4576	cdlave.exe
1564	winux.exe
5008	cdlave.exe
1416	winux.exe
5492	cdlave.exe
6080	cdlave.exe
3924	winux.exe
2256	winux.exe
4956	cdlave.exe
4968	cdlave.exe
4528	winux.exe
1192	winux.exe
3928	cdlave.exe
2684	winux.exe
5456	cdlave.exe
4076	winux.exe
5816	cdlave.exe
1424	winux.exe
2460	cdlave.exe
4676	winux.exe
3628	cdlave.exe
1232	winux.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winux = "C:\\Users\\Admin\\AppData\\Roaming\\cdlave.exe"	cdlave.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5248 set thread context of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5848 set thread context of 3168	5848	cdlave.exe	86
PID 2656 set thread context of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 5208 set thread context of 6100	5208	cdlave.exe	96
PID 4292 set thread context of 5376	4292	cdlave.exe	100
PID 4592 set thread context of 4692	4592	cdlave.exe	104
PID 4700 set thread context of 4608	4700	cdlave.exe	108
PID 876 set thread context of 4596	876	cdlave.exe	112
PID 4852 set thread context of 5024	4852	cdlave.exe	116
PID 1380 set thread context of 5800	1380	cdlave.exe	120
PID 4716 set thread context of 6028	4716	cdlave.exe	124
PID 5488 set thread context of 5736	5488	cdlave.exe	128
PID 4448 set thread context of 5112	4448	cdlave.exe	132
PID 5364 set thread context of 3400	5364	cdlave.exe	136
PID 5572 set thread context of 2348	5572	cdlave.exe	140
PID 5484 set thread context of 2512	5484	cdlave.exe	144
PID 2372 set thread context of 5244	2372	cdlave.exe	149
PID 5776 set thread context of 5184	5776	cdlave.exe	150
PID 2232 set thread context of 5732	2232	cdlave.exe	156
PID 5516 set thread context of 1972	5516	cdlave.exe	160
PID 4752 set thread context of 3940	4752	cdlave.exe	165
PID 6068 set thread context of 4032	6068	cdlave.exe	166
PID 4576 set thread context of 1564	4576	cdlave.exe	172
PID 5008 set thread context of 1416	5008	cdlave.exe	175
PID 6080 set thread context of 3924	6080	cdlave.exe	182
PID 5492 set thread context of 2256	5492	cdlave.exe	183
PID 4968 set thread context of 4528	4968	cdlave.exe	191
PID 4956 set thread context of 1192	4956	cdlave.exe	192
PID 3928 set thread context of 2684	3928	cdlave.exe	198
PID 5456 set thread context of 4076	5456	cdlave.exe	203
PID 5816 set thread context of 1424	5816	cdlave.exe	208
PID 2460 set thread context of 4676	2460	cdlave.exe	213
PID 3628 set thread context of 1232	3628	cdlave.exe	220
PID 4236 set thread context of 6196	4236	cdlave.exe	228
PID 6244 set thread context of 6332	6244	cdlave.exe	233
PID 6272 set thread context of 6404	6272	cdlave.exe	236
PID 6540 set thread context of 6676	6540	cdlave.exe	245
PID 6576 set thread context of 6684	6576	cdlave.exe	246
PID 6756 set thread context of 6868	6756	cdlave.exe	254
PID 6824 set thread context of 7028	6824	cdlave.exe	262
PID 6988 set thread context of 6212	6988	cdlave.exe	266
PID 6748 set thread context of 7192	6748	cdlave.exe	277
PID 7288 set thread context of 7404	7288	cdlave.exe	283
PID 7316 set thread context of 7416	7316	cdlave.exe	284
PID 7532 set thread context of 7668	7532	cdlave.exe	295
PID 7612 set thread context of 7800	7612	cdlave.exe	298
PID 7676 set thread context of 7816	7676	cdlave.exe	300
PID 7844 set thread context of 8032	7844	cdlave.exe	311
PID 7952 set thread context of 7412	7952	cdlave.exe	316
PID 7964 set thread context of 7440	7964	cdlave.exe	317
PID 7868 set thread context of 8176	7868	cdlave.exe	322
PID 8132 set thread context of 8236	8132	cdlave.exe	323
PID 8072 set thread context of 8400	8072	cdlave.exe	328
PID 8724 set thread context of 8864	8724	cdlave.exe	342
PID 9004 set thread context of 9084	9004	cdlave.exe	352
PID 8484 set thread context of 9100	8484	cdlave.exe	370
PID 8280 set thread context of 9176	8280	cdlave.exe	371
PID 8504 set thread context of 8244	8504	cdlave.exe	372
PID 8436 set thread context of 8916	8436	cdlave.exe	2044
PID 4028 set thread context of 9428	4028	cdlave.exe	385
PID 5948 set thread context of 9580	5948	cdlave.exe	390
PID 4176 set thread context of 9776	4176	cdlave.exe	395
PID 8328 set thread context of 9908	8328	cdlave.exe	400
PID 5724 set thread context of 9916	5724	cdlave.exe	401

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
10096	9176	WerFault.exe	371
9724	7512	WerFault.exe	609
10612	7512	WerFault.exe	609
6392	11072	WerFault.exe	686
6420	10172	WerFault.exe	688
9700	3392	WerFault.exe	717
7876	11072	WerFault.exe	686
8028	8272	WerFault.exe	902
8608	11000	WerFault.exe	928
5252	9140	WerFault.exe	426

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdlave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5848	cdlave.exe
5848	cdlave.exe
5848	cdlave.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5208	cdlave.exe
5208	cdlave.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4292	cdlave.exe
4292	cdlave.exe
5208	cdlave.exe
5208	cdlave.exe
4592	cdlave.exe
4592	cdlave.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4292	cdlave.exe
4292	cdlave.exe
4700	cdlave.exe
4700	cdlave.exe
5208	cdlave.exe
5208	cdlave.exe
4592	cdlave.exe
4592	cdlave.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4292	cdlave.exe
4292	cdlave.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4700	cdlave.exe
4700	cdlave.exe
876	cdlave.exe
876	cdlave.exe
5208	cdlave.exe
5208	cdlave.exe
4592	cdlave.exe
4592	cdlave.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4852	cdlave.exe
4852	cdlave.exe
4292	cdlave.exe
4292	cdlave.exe
4292	cdlave.exe
4292	cdlave.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
4700	cdlave.exe
4700	cdlave.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
8232	Process not Found
4224	Process not Found
12292	Process not Found
10668	Process not Found
10484	Process not Found
9852	Process not Found
12844	Process not Found
10268	Process not Found
12576	Process not Found
8276	Process not Found
12920	Process not Found
7288	smss.exe
13232	Process not Found
11556	Process not Found
9148	Process not Found
7776	Process not Found
7868	smss.exe
8648	Process not Found
10748	Process not Found
5004	Process not Found
10736	Process not Found
1984	Process not Found
12608	Process not Found
8600	Process not Found
2396	Process not Found
9608	Process not Found
11920	Process not Found
2208	Process not Found
7632	Process not Found
7276	Process not Found
9636	Process not Found
12028	smss.exe
7408	smss.exe
3728	Process not Found
11060	Process not Found
12232	Process not Found
9040	Process not Found
10256	Process not Found
9812	Process not Found
5064	Process not Found
4680	Process not Found
11692	smss.exe
8248	Process not Found
12592	Process not Found
740	smss.exe
10336	Process not Found
1184	Process not Found
8804	Process not Found
9272	Process not Found
9348	Process not Found
1328	Process not Found
11508	Process not Found
10392	smss.exe
7560	Process not Found
11320	Process not Found
12724	Process not Found
8776	Process not Found
1088	Process not Found
7484	Process not Found
5816	smss.exe
9856	smss.exe
11812	Process not Found
12656	smss.exe
9320	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Token: SeIncreaseQuotaPrivilege	3056	winux.exe
Token: SeSecurityPrivilege	3056	winux.exe
Token: SeTakeOwnershipPrivilege	3056	winux.exe
Token: SeLoadDriverPrivilege	3056	winux.exe
Token: SeSystemProfilePrivilege	3056	winux.exe
Token: SeSystemtimePrivilege	3056	winux.exe
Token: SeProfSingleProcessPrivilege	3056	winux.exe
Token: SeIncBasePriorityPrivilege	3056	winux.exe
Token: SeCreatePagefilePrivilege	3056	winux.exe
Token: SeBackupPrivilege	3056	winux.exe
Token: SeRestorePrivilege	3056	winux.exe
Token: SeShutdownPrivilege	3056	winux.exe
Token: SeDebugPrivilege	3056	winux.exe
Token: SeSystemEnvironmentPrivilege	3056	winux.exe
Token: SeChangeNotifyPrivilege	3056	winux.exe
Token: SeRemoteShutdownPrivilege	3056	winux.exe
Token: SeUndockPrivilege	3056	winux.exe
Token: SeManageVolumePrivilege	3056	winux.exe
Token: SeImpersonatePrivilege	3056	winux.exe
Token: SeCreateGlobalPrivilege	3056	winux.exe
Token: 33	3056	winux.exe
Token: 34	3056	winux.exe
Token: 35	3056	winux.exe
Token: 36	3056	winux.exe
Token: SeDebugPrivilege	5848	cdlave.exe
Token: SeIncreaseQuotaPrivilege	3168	winux.exe
Token: SeSecurityPrivilege	3168	winux.exe
Token: SeTakeOwnershipPrivilege	3168	winux.exe
Token: SeLoadDriverPrivilege	3168	winux.exe
Token: SeSystemProfilePrivilege	3168	winux.exe
Token: SeSystemtimePrivilege	3168	winux.exe
Token: SeProfSingleProcessPrivilege	3168	winux.exe
Token: SeIncBasePriorityPrivilege	3168	winux.exe
Token: SeCreatePagefilePrivilege	3168	winux.exe
Token: SeBackupPrivilege	3168	winux.exe
Token: SeRestorePrivilege	3168	winux.exe
Token: SeShutdownPrivilege	3168	winux.exe
Token: SeDebugPrivilege	3168	winux.exe
Token: SeSystemEnvironmentPrivilege	3168	winux.exe
Token: SeChangeNotifyPrivilege	3168	winux.exe
Token: SeRemoteShutdownPrivilege	3168	winux.exe
Token: SeUndockPrivilege	3168	winux.exe
Token: SeManageVolumePrivilege	3168	winux.exe
Token: SeImpersonatePrivilege	3168	winux.exe
Token: SeCreateGlobalPrivilege	3168	winux.exe
Token: 33	3168	winux.exe
Token: 34	3168	winux.exe
Token: 35	3168	winux.exe
Token: 36	3168	winux.exe
Token: SeRestorePrivilege	3636	dw20.exe
Token: SeBackupPrivilege	3636	dw20.exe
Token: SeDebugPrivilege	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
Token: SeBackupPrivilege	3636	dw20.exe
Token: SeBackupPrivilege	3636	dw20.exe
Token: SeIncreaseQuotaPrivilege	1540	winux.exe
Token: SeSecurityPrivilege	1540	winux.exe
Token: SeTakeOwnershipPrivilege	1540	winux.exe
Token: SeLoadDriverPrivilege	1540	winux.exe
Token: SeSystemProfilePrivilege	1540	winux.exe
Token: SeSystemtimePrivilege	1540	winux.exe
Token: SeProfSingleProcessPrivilege	1540	winux.exe
Token: SeIncBasePriorityPrivilege	1540	winux.exe
Token: SeCreatePagefilePrivilege	1540	winux.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	winux.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5248 wrote to memory of 3056	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	82
PID 5212 wrote to memory of 5848	5212	cmd.exe	85
PID 5212 wrote to memory of 5848	5212	cmd.exe	85
PID 5212 wrote to memory of 5848	5212	cmd.exe	85
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5848 wrote to memory of 3168	5848	cdlave.exe	86
PID 5248 wrote to memory of 2656	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	89
PID 5248 wrote to memory of 2656	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	89
PID 5248 wrote to memory of 2656	5248	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	89
PID 5848 wrote to memory of 3636	5848	cdlave.exe	90
PID 5848 wrote to memory of 3636	5848	cdlave.exe	90
PID 5848 wrote to memory of 3636	5848	cdlave.exe	90
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 2656 wrote to memory of 1540	2656	JaffaCakes118_b02a280100658dac180fb724e5795d63.exe	91
PID 5308 wrote to memory of 5208	5308	cmd.exe	95
PID 5308 wrote to memory of 5208	5308	cmd.exe	95
PID 5308 wrote to memory of 5208	5308	cmd.exe	95
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96
PID 5208 wrote to memory of 6100	5208	cdlave.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b02a280100658dac180fb724e5795d63.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5248
- C:\Users\Admin\AppData\Roaming\winux.exe
  C:\Users\Admin\AppData\Roaming\winux.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b02a280100658dac180fb724e5795d63.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b02a280100658dac180fb724e5795d63.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1288
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10404
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 900
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:11448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5212
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5848
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1116
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5208
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:116
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Enumerates system info in registry
    PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4204
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1560
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1380
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4716
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:6028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    PID:13196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3320
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5488
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1420
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5364
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    PID:9736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5572
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3784
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5484
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3112
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2372
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1864
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5776
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3588
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5516
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1092
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2232
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4752
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3872
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6068
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1832
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    PID:10392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5008
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1068
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6080
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    PID:11172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2616
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5492
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4968
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4956
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1192
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3928
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:512
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5456
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5816
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:840
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2460
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:4676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1532
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4236
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2124
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3628
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - Executes dropped EXE
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:448
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6272
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6244
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:6576
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6084
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:6540
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1336
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:6824
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2688
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6756
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6172
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:6988
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6256
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6748
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6364
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:7288
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 884
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:11588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6456
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:7316
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6476
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:7532
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6560
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7612
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6724
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:7676
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6764
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:7844
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6788
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:7964
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6852
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:7952
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6912
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:8132
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7012
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:7868
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7132
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:8072
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7140
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:8504
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6568
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:8724
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6720
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:8328
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6932
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:7784
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7184
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:8280
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9176 -s 548
      4⤵
      Program crash
      PID:10096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7308
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:8484
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 848
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7488
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4028
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7496
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:8436
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7504
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:9004
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7516
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5948
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7760
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:8992
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7808
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5724
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 920
    3⤵
    - Enumerates system info in registry
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7944
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4176
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7976
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9276
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9232
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:13052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7984
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9404
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 784
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7264
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7880
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9332
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7692
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8344
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10104
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8352
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8416
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9888
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8476
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9376
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - Enumerates system info in registry
    PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8596
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9140
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    PID:11944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9140 -s 968
    3⤵
    - Program crash
    PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8616
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9896
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8640
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9960
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8884
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:10212
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8940
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10844
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:11112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8948
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8972
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9168
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9192
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:6928
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9340
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9348
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9356
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 9176 -ip 9176
1⤵
PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9684
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9728
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:11756
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:11980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9792
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10148
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:11788
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:11988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10000
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 880
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:9128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10116
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10096
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 892
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10016
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10528
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8652
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 912
    3⤵
    PID:11256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10624
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 800
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10664
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10684
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10804
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10960
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11116
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9596
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 544
      4⤵
      Program crash
      PID:9724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 548
      4⤵
      Program crash
      PID:10612
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11124
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:11352
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11204
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9220
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    PID:11160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8684
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11084
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7424
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:10908
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11528
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9640
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8388 -ip 8388
1⤵
PID:11544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 11356 -ip 11356
1⤵
PID:11680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11832
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11888
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11896
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11936
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:3752
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10172 -s 548
      4⤵
      Program crash
      PID:6420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12156
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12260
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12268
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12284
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:10828
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 864
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9560
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11072 -s 548
      4⤵
      Program crash
      PID:6392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11072 -s 548
      4⤵
      Program crash
      PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10500
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10812
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11912
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11000
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6128 -ip 6128
1⤵
PID:9572

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 12028 -i 12028 -h 472 -j 636 -s 676 -d 0
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:11584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8536
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9864
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 548
      4⤵
      Program crash
      PID:9700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8768
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 904
    3⤵
    PID:12188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11592
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5156
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10140
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 876
    3⤵
    PID:9940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11560
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7512 -ip 7512
1⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11160
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7656
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12376
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 884
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9556
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 832
    3⤵
    PID:9296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11752
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:5644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 860
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7436
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12128
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10640
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12368
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:10500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 876
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11032
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 880
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:12284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9516

C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 12028 -s 780
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:9184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9404
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 804
    3⤵
    - Enumerates system info in registry
    PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11740
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11648
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 916
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9052
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:13080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    PID:8492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6720
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 880
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11552
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11716
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 840
    3⤵
    - Enumerates system info in registry
    PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7512 -ip 7512
1⤵
PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 11072 -ip 11072
1⤵
PID:12196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 10172 -ip 10172
1⤵
PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9012
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:13052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 3392 -ip 3392
1⤵
PID:9272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 11072 -ip 11072
1⤵
PID:10772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11068
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 836
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:11228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9596
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:9772
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:7304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 796
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9160

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10892
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11892
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11268
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:9952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 876
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:10732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8320
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 784
    3⤵
    PID:12668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:13148
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:7352
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:13184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2176
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12916
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    PID:10064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11028
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:4120
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:9808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9900
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:12056
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12376
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:3180
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9708
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:8272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 548
      4⤵
      Program crash
      PID:8028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12848
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  PID:8340
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10520
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11052
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12464
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8968
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:12272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11460
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 820
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4764
- - C:\Users\Admin\AppData\Roaming\winux.exe
    C:\Users\Admin\AppData\Roaming\winux.exe
    3⤵
    PID:11000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11000 -s 548
      4⤵
      Program crash
      PID:8608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11140
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11428
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 784
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7344
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11136
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12856
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:8012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11564
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:11228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8272 -ip 8272
1⤵
PID:11992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10392
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9636
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7632
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11200
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12208
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:10272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9324
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  PID:12468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12840
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:12316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 11000 -ip 11000
1⤵
PID:12396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8152
- C:\Users\Admin\AppData\Roaming\cdlave.exe
  C:\Users\Admin\AppData\Roaming\cdlave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7928

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 9140 -ip 9140
1⤵
PID:11892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:620

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10488
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1676

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13176

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:540

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8692

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:3408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:10340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:12828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\cdlave.exe
1⤵
PID:1020

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:7288

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:7868

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:12028

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:7408

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:11692

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:740

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:10392

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:5816

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:9856

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:12656

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:9196

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:8020

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:3684

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:11080

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:13292

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:2844

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:8340

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:9404

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:9140

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d0 00000084
1⤵
PID:5620

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:6344

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d0 00000084
1⤵
PID:5248

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:12248

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:11452

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:10384

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:11356

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:5724

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:11112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:5496

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:9980

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:7300

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:6128

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:9332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000009c 00000084
1⤵
PID:9888

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:8328

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:7784

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:8916

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:4176

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:11488

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:9960

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:8704

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:10908

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:11588

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:10064

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:11276

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:388

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:8460

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:10008

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:3752

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000009c 00000084
1⤵
PID:12188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:11172

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000009c 00000084
1⤵
PID:9180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:10404

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000009c 00000084
1⤵
PID:9772

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:12236

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:11228

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:8692

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:10732

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:4064

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:8652

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:12468

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:7900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:1732

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:12284

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:11204

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:9408

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000009c 00000084
1⤵
PID:9748

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:12008

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:13052

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:9864

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:10624

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:10828

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:9648

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:12420

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:3456

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:11900

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:11008

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:12356

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:13264

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:10064

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:12580

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:9940

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:12668

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:12260

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:8660

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:9172

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:9808

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:7884

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:11648

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:12056

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:8968

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:12376

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:10520

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
1⤵
PID:9928

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:13092

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:7392

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:7188

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:5644

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:816

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:9112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:13052

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:7112

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:12272

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:8108

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a4 00000084
1⤵
PID:3180

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:4120

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:4764

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:7352

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000084
1⤵
PID:13236

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:12608

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 00000084
1⤵
PID:4288

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:13164

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 00000084
1⤵
PID:3648

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:13260

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:10272

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:6920

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:7624

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:7876

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:8012

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:9552

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ac 00000084
1⤵
PID:12828

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cdlave.exe

Filesize
887KB

MD5
b02a280100658dac180fb724e5795d63

SHA1
463c0bfb9bf373fde8cab6c1569bfc935e29217b

SHA256
c496be4729da4a43a85535f703376300daf37aa4b4afdc152e458a2d19252635

SHA512
6ea78c90c90ebd7bb45fbd784e666a3a1efbcc9bea6d7c23c90528c742dc8b2546d8efe1dd9894d1ed5fe4b830c3d112f2079e4d2f2856d3dc0bbf051789083d

Download Submit
C:\Users\Admin\AppData\Roaming\winux.exe

Filesize
1KB

MD5
8e19c7307542aca6356fd52d97aa8b8e

SHA1
356d339e9b2d69f32db3d56d8c0084f0f1a31552

SHA256
333825e0223c4d68a95521a87bee4acf8e8502b922b73a9b4d488e8e0b7baa08

SHA512
c6466258e2244c2d0a4d6bd73e3adbeedcc5e3c0ade3421c403034f57319d3c15b5fbc4091384c5f74ef23b927eb28ce050e8d43ed25e2f864231fc194e65b99

Download Submit
memory/1540-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2348-114-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-16-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-10-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-6-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-13-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3056-12-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3056-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3168-30-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3168-27-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3400-108-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4596-71-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4608-65-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4692-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5024-77-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5112-101-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5248-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5248-120-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5248-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5248-422-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5248-116-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/5248-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/5248-149-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5376-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5736-95-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5800-83-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5848-46-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5848-22-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5848-21-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/5848-20-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/6028-90-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/6100-47-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download