warzonerat | d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
Size

409KB
MD5

f672d1603b04f6a1bb2c1168429768de
SHA1

7321c9d98b08b4e2a59240666a17787d583e74f0
SHA256

d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165
SHA512

21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575
SSDEEP

12288:L2LfajrFOnz+EtLLz7YVWy+OPWejt/pTwQqXPU:L2Lmw+EtYVR1Fjt/pTwQqs

Score

10^/10

warzonerat infostealer persistence rat upx

Malware Config

Extracted

Family

warzonerat

111.90.146.200:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 14 IoCs

rat

resource	yara_rule
behavioral2/memory/2492-9-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/2492-14-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/2492-5-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1852-38-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/5040-60-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1852-61-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/2492-23-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1852-80-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/3812-98-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/5040-120-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/3812-156-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/4676-189-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1912-212-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/4900-235-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
4568	images.exe
1852	images.exe
4628	images.exe
1208	images.exe
3812	images.exe
4016	images.exe
4604	images.exe
4676	images.exe
4048	images.exe
3004	images.exe
1912	images.exe
368	images.exe
3196	images.exe
4264	images.exe
4900	images.exe
732	images.exe
1968	images.exe
3296	images.exe
4128	images.exe
3584	images.exe
4808	images.exe
4492	images.exe
4016	images.exe
892	images.exe
624	images.exe
4288	images.exe
5104	images.exe
4392	images.exe
3084	images.exe
5016	images.exe
4240	images.exe
2976	images.exe
3444	images.exe
4924	images.exe
2356	images.exe
2608	images.exe
4708	images.exe
3472	images.exe
2972	images.exe
2448	images.exe
3460	images.exe
868	images.exe
3172	images.exe
4492	images.exe
2008	images.exe
3104	images.exe
1052	images.exe
1656	images.exe
3976	images.exe
4392	images.exe
3076	images.exe
2252	images.exe
1860	images.exe
4636	images.exe
4972	images.exe
1108	images.exe
4616	images.exe
1440	images.exe
716	images.exe
3520	images.exe
2748	images.exe
1464	images.exe
3488	images.exe
3172	images.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/432-0-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/432-2-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4908-10-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4908-16-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4908-11-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/432-3-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/files/0x00070000000233e5-22.dat	upx
behavioral2/memory/4568-25-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4568-28-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4568-30-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4520-32-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4520-49-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/2984-53-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/2984-64-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4628-56-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4628-45-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4520-35-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/1208-84-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/1208-86-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4016-100-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4016-101-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4016-94-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/1208-89-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4604-164-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4048-177-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/3004-194-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/368-208-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/3196-218-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4264-228-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/732-241-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe"	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 2492	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	86
PID 4568 set thread context of 1852	4568	images.exe	97
PID 4520 set thread context of 5040	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	100
PID 1208 set thread context of 3812	1208	images.exe	104
PID 4604 set thread context of 4676	4604	images.exe	112
PID 3004 set thread context of 1912	3004	images.exe	118
PID 3196 set thread context of 4900	3196	images.exe	122
PID 732 set thread context of 1968	732	images.exe	126
PID 4128 set thread context of 3584	4128	images.exe	130
PID 4492 set thread context of 4016	4492	images.exe	134
PID 624 set thread context of 4288	624	images.exe	138
PID 4392 set thread context of 3084	4392	images.exe	142
PID 4240 set thread context of 2976	4240	images.exe	146
PID 4924 set thread context of 2356	4924	images.exe	150
PID 4708 set thread context of 3472	4708	images.exe	154
PID 2448 set thread context of 3460	2448	images.exe	158
PID 3172 set thread context of 4492	3172	images.exe	162
PID 3104 set thread context of 1052	3104	images.exe	166
PID 3976 set thread context of 4392	3976	images.exe	170
PID 2252 set thread context of 1860	2252	images.exe	174
PID 4972 set thread context of 1108	4972	images.exe	178
PID 1440 set thread context of 716	1440	images.exe	182
PID 2748 set thread context of 1464	2748	images.exe	188
PID 3172 set thread context of 4988	3172	images.exe	192
PID 3020 set thread context of 3104	3020	images.exe	196
PID 756 set thread context of 3676	756	images.exe	200
PID 4936 set thread context of 4348	4936	images.exe	204
PID 1544 set thread context of 3196	1544	images.exe	208
PID 732 set thread context of 2568	732	images.exe	212
PID 4808 set thread context of 4472	4808	images.exe	216
PID 4908 set thread context of 892	4908	images.exe	220
PID 2824 set thread context of 4800	2824	images.exe	224
PID 3772 set thread context of 4620	3772	images.exe	228
PID 2544 set thread context of 3152	2544	images.exe	232
PID 3208 set thread context of 4904	3208	images.exe	236
PID 2392 set thread context of 4160	2392	images.exe	240
PID 8 set thread context of 4836	8	images.exe	245
PID 2920 set thread context of 1716	2920	images.exe	249
PID 1592 set thread context of 4272	1592	images.exe	253
PID 3944 set thread context of 3912	3944	images.exe	257
PID 2504 set thread context of 4188	2504	images.exe	261
PID 3080 set thread context of 4636	3080	images.exe	265
PID 2420 set thread context of 1948	2420	images.exe	269
PID 3112 set thread context of 832	3112	images.exe	273
PID 1788 set thread context of 1708	1788	images.exe	277
PID 4568 set thread context of 1840	4568	images.exe	281
PID 4064 set thread context of 4896	4064	images.exe	285
PID 3216 set thread context of 3248	3216	images.exe	289
PID 5016 set thread context of 1512	5016	images.exe	293
PID 1544 set thread context of 1868	1544	images.exe	297
PID 4312 set thread context of 4420	4312	images.exe	301
PID 1744 set thread context of 1972	1744	images.exe	305
PID 2028 set thread context of 3760	2028	images.exe	309
PID 3916 set thread context of 2604	3916	images.exe	313
PID 4152 set thread context of 3864	4152	images.exe	317
PID 4484 set thread context of 4256	4484	images.exe	321
PID 3444 set thread context of 392	3444	images.exe	325
PID 1512 set thread context of 3352	1512	images.exe	329
PID 3536 set thread context of 4580	3536	images.exe	333
PID 3116 set thread context of 4808	3116	images.exe	337
PID 4128 set thread context of 4536	4128	images.exe	341
PID 1884 set thread context of 1100	1884	images.exe	345
PID 1628 set thread context of 3476	1628	images.exe	349
PID 3772 set thread context of 4136	3772	images.exe	353

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4568	images.exe
4568	images.exe
4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4628	images.exe
4628	images.exe
4628	images.exe
4628	images.exe
4628	images.exe
4628	images.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4628	images.exe
4628	images.exe
3484	powershell.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4628	images.exe
4628	images.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4628	images.exe
4628	images.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
2984	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4628	images.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
4568	images.exe
4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
1208	images.exe
4604	images.exe
3004	images.exe
3196	images.exe
732	images.exe
4128	images.exe
4492	images.exe
624	images.exe
4392	images.exe
4240	images.exe
4924	images.exe
4708	images.exe
2448	images.exe
3172	images.exe
3104	images.exe
3976	images.exe
2252	images.exe
4972	images.exe
1440	images.exe
2748	images.exe
3172	images.exe
3020	images.exe
756	images.exe
4936	images.exe
1544	images.exe
732	images.exe
4808	images.exe
4908	images.exe
2824	images.exe
3772	images.exe
2544	images.exe
3208	images.exe
2392	images.exe
8	images.exe
2920	images.exe
1592	images.exe
3944	images.exe
2504	images.exe
3080	images.exe
2420	images.exe
3112	images.exe
1788	images.exe
4568	images.exe
4064	images.exe
3216	images.exe
5016	images.exe
1544	images.exe
4312	images.exe
1744	images.exe
2028	images.exe
3916	images.exe
4152	images.exe
4484	images.exe
3444	images.exe
1512	images.exe
3536	images.exe
3116	images.exe
4128	images.exe
1884	images.exe
1628	images.exe
3772	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1968	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	85
PID 432 wrote to memory of 1968	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	85
PID 432 wrote to memory of 1968	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	85
PID 432 wrote to memory of 1968	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	85
PID 432 wrote to memory of 1968	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	85
PID 432 wrote to memory of 2492	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	86
PID 432 wrote to memory of 2492	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	86
PID 432 wrote to memory of 2492	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	86
PID 432 wrote to memory of 4908	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	87
PID 432 wrote to memory of 4908	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	87
PID 432 wrote to memory of 4908	432	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	87
PID 2492 wrote to memory of 3484	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	92
PID 2492 wrote to memory of 3484	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	92
PID 2492 wrote to memory of 3484	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	92
PID 2492 wrote to memory of 4568	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	94
PID 2492 wrote to memory of 4568	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	94
PID 2492 wrote to memory of 4568	2492	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	94
PID 4908 wrote to memory of 4520	4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	95
PID 4908 wrote to memory of 4520	4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	95
PID 4908 wrote to memory of 4520	4908	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	95
PID 4568 wrote to memory of 3548	4568	images.exe	96
PID 4568 wrote to memory of 3548	4568	images.exe	96
PID 4568 wrote to memory of 3548	4568	images.exe	96
PID 4568 wrote to memory of 3548	4568	images.exe	96
PID 4568 wrote to memory of 3548	4568	images.exe	96
PID 4568 wrote to memory of 1852	4568	images.exe	97
PID 4568 wrote to memory of 1852	4568	images.exe	97
PID 4568 wrote to memory of 1852	4568	images.exe	97
PID 4568 wrote to memory of 4628	4568	images.exe	98
PID 4568 wrote to memory of 4628	4568	images.exe	98
PID 4568 wrote to memory of 4628	4568	images.exe	98
PID 4520 wrote to memory of 4760	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	99
PID 4520 wrote to memory of 4760	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	99
PID 4520 wrote to memory of 4760	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	99
PID 4520 wrote to memory of 4760	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	99
PID 4520 wrote to memory of 4760	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	99
PID 4520 wrote to memory of 5040	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	100
PID 4520 wrote to memory of 5040	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	100
PID 4520 wrote to memory of 5040	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	100
PID 4520 wrote to memory of 2984	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	101
PID 4520 wrote to memory of 2984	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	101
PID 4520 wrote to memory of 2984	4520	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	101
PID 4628 wrote to memory of 1208	4628	images.exe	102
PID 4628 wrote to memory of 1208	4628	images.exe	102
PID 4628 wrote to memory of 1208	4628	images.exe	102
PID 1208 wrote to memory of 3976	1208	images.exe	103
PID 1208 wrote to memory of 3976	1208	images.exe	103
PID 1208 wrote to memory of 3976	1208	images.exe	103
PID 1208 wrote to memory of 3976	1208	images.exe	103
PID 1208 wrote to memory of 3976	1208	images.exe	103
PID 1208 wrote to memory of 3812	1208	images.exe	104
PID 1208 wrote to memory of 3812	1208	images.exe	104
PID 1208 wrote to memory of 3812	1208	images.exe	104
PID 1208 wrote to memory of 4016	1208	images.exe	105
PID 1208 wrote to memory of 4016	1208	images.exe	105
PID 1208 wrote to memory of 4016	1208	images.exe	105
PID 5040 wrote to memory of 1592	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	106
PID 5040 wrote to memory of 1592	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	106
PID 5040 wrote to memory of 1592	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	106
PID 5040 wrote to memory of 3552	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	107
PID 5040 wrote to memory of 3552	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	107
PID 5040 wrote to memory of 3552	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	107
PID 5040 wrote to memory of 3552	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	107
PID 5040 wrote to memory of 3552	5040	f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe	107

C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Drops startup file
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Drops startup file
      PID:3548
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe" 2 1852 240595265
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        6⤵
        Drops startup file
        
        PID:3976
      - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        6⤵
        Executes dropped EXE
        
        PID:3812
      - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3812 240597343
        6⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4604
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        8⤵
        Drops startup file
        
        PID:4568
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        8⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4676 240599406
        8⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3004
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        10⤵
        Drops startup file
        
        PID:1240
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        10⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1912 240600703
        10⤵
        Executes dropped EXE
        
        PID:368
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3196
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        12⤵
        Drops startup file
        
        PID:4972
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        12⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4900 240601953
        12⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:732
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        14⤵
        Drops startup file
        
        PID:2144
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        14⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1968 240603296
        14⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4128
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        16⤵
        
        PID:4388
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        16⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3584 240604750
        16⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4492
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        18⤵
        Drops startup file
        
        PID:4952
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        18⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4016 240606171
        18⤵
        Executes dropped EXE
        
        PID:892
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:624
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        20⤵
        
        PID:216
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        20⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4288 240607515
        20⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4392
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        22⤵
        Drops startup file
        
        PID:3028
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        22⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3084 240608875
        22⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4240
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        24⤵
        Drops startup file
        
        PID:4636
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        24⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2976 240610265
        24⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4924
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        26⤵
        Drops startup file
        
        PID:1340
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        26⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2356 240611625
        26⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4708
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        28⤵
        Drops startup file
        
        PID:2396
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        28⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3472 240612937
        28⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2448
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        30⤵
        Drops startup file
        
        PID:8
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        30⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3460 240614234
        30⤵
        Executes dropped EXE
        
        PID:868
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3172
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        32⤵
        
        PID:2920
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        32⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4492 240615562
        32⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3104
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        34⤵
        Drops startup file
        
        PID:4896
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        34⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1052 240616984
        34⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3976
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        36⤵
        
        PID:3704
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        36⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4392 240618234
        36⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2252
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        38⤵
        Drops startup file
        
        PID:3292
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        38⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1860 240619468
        38⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4972
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        40⤵
        
        PID:4700
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        40⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1108 240620734
        40⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1440
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        42⤵
        Drops startup file
        
        PID:2236
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        42⤵
        Executes dropped EXE
        
        PID:716
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 716 240622046
        42⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2748
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        44⤵
        
        PID:840
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        44⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1464 240623312
        44⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3172
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        46⤵
        Drops startup file
        
        PID:2432
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        46⤵
        
        PID:4988
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4988 240624593
        46⤵
        
        PID:1832
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3020
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        48⤵
        
        PID:4896
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        48⤵
        
        PID:3104
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3104 240625859
        48⤵
        
        PID:2104
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:756
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        50⤵
        Drops startup file
        
        PID:2480
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        50⤵
        
        PID:3676
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3676 240627125
        50⤵
        
        PID:3152
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4936
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        52⤵
        Drops startup file
        
        PID:2932
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        52⤵
        
        PID:4348
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4348 240628375
        52⤵
        
        PID:4904
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1544
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        54⤵
        
        PID:3984
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        54⤵
        
        PID:3196
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3196 240629625
        54⤵
        
        PID:4780
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:732
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        56⤵
        Drops startup file
        
        PID:2520
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        56⤵
        
        PID:2568
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2568 240630828
        56⤵
        
        PID:1916
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4808
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        58⤵
        
        PID:5112
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        58⤵
        
        PID:4472
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4472 240632078
        58⤵
        
        PID:1520
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4908
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        60⤵
        Drops startup file
        
        PID:3488
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        60⤵
        
        PID:892
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 892 240633406
        60⤵
        
        PID:3548
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2824
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        62⤵
        
        PID:3544
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        62⤵
        
        PID:4800
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4800 240634687
        62⤵
        
        PID:2428
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        63⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3772
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        64⤵
        
        PID:4680
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        64⤵
        
        PID:4620
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4620 240635953
        64⤵
        
        PID:4432
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        65⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2544
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        66⤵
        
        PID:3616
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        66⤵
        
        PID:3152
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3152 240637265
        66⤵
        
        PID:4244
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3208
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        68⤵
        Drops startup file
        
        PID:392
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        68⤵
        
        PID:4904
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4904 240638515
        68⤵
        
        PID:1604
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2392
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        70⤵
        
        PID:4420
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        70⤵
        
        PID:4160
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4160 240639828
        70⤵
        
        PID:4728
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:8
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        72⤵
        Drops startup file
        
        PID:1916
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        72⤵
        
        PID:4836
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4836 240641078
        72⤵
        
        PID:4000
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2920
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        74⤵
        Drops startup file
        
        PID:4204
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        74⤵
        
        PID:1716
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1716 240642375
        74⤵
        
        PID:1992
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1592
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        76⤵
        
        PID:3548
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        76⤵
        
        PID:4272
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4272 240643625
        76⤵
        
        PID:3132
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3944
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        78⤵
        
        PID:2428
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        78⤵
        
        PID:3912
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3912 240644890
        78⤵
        
        PID:4364
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2504
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        80⤵
        
        PID:5016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        80⤵
        
        PID:4188
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4188 240646281
        80⤵
        
        PID:3292
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3080
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        82⤵
        
        PID:4376
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        82⤵
        
        PID:4636
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4636 240647515
        82⤵
        
        PID:4496
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2420
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        84⤵
        Drops startup file
        
        PID:4312
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        84⤵
        
        PID:1948
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1948 240648781
        84⤵
        
        PID:2392
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        85⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3112
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        86⤵
        Drops startup file
        
        PID:408
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        86⤵
        
        PID:832
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 832 240650062
        86⤵
        
        PID:1452
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1788
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        88⤵
        Drops startup file
        
        PID:5112
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        88⤵
        
        PID:1708
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1708 240651453
        88⤵
        
        PID:544
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        89⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4568
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        90⤵
        Drops startup file
        
        PID:2920
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        90⤵
        
        PID:1840
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1840 240652703
        90⤵
        
        PID:4908
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4064
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        92⤵
        Drops startup file
        
        PID:3904
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        92⤵
        
        PID:4896
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4896 240653953
        92⤵
        
        PID:5104
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3216
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        94⤵
        
        PID:4256
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        94⤵
        
        PID:3248
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3248 240655218
        94⤵
        
        PID:4308
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5016
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        96⤵
        
        PID:1304
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        96⤵
        
        PID:1512
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1512 240656500
        96⤵
        
        PID:940
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        97⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1544
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        98⤵
        
        PID:4448
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        98⤵
        
        PID:1868
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1868 240657781
        98⤵
        
        PID:1604
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4312
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        100⤵
        
        PID:4116
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        100⤵
        
        PID:4420
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4420 240659015
        100⤵
        
        PID:4540
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        101⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1744
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        102⤵
        Drops startup file
        
        PID:4156
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        102⤵
        
        PID:1972
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1972 240660421
        102⤵
        
        PID:3992
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2028
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        104⤵
        
        PID:2332
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        104⤵
        
        PID:3760
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3760 240661625
        104⤵
        
        PID:932
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3916
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        106⤵
        Drops startup file
        
        PID:3172
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        106⤵
        
        PID:2604
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2604 240662890
        106⤵
        
        PID:948
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4152
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        108⤵
        
        PID:3772
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        108⤵
        
        PID:3864
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3864 240664203
        108⤵
        
        PID:2172
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        109⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4484
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        110⤵
        Drops startup file
        
        PID:3004
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        110⤵
        
        PID:4256
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4256 240665500
        110⤵
        
        PID:316
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3444
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        112⤵
        Drops startup file
        
        PID:2032
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        112⤵
        
        PID:392
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 392 240666796
        112⤵
        
        PID:4628
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1512
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        114⤵
        
        PID:4032
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        114⤵
        
        PID:3352
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3352 240668140
        114⤵
        
        PID:4264
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3536
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        116⤵
        Drops startup file
        
        PID:4708
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        116⤵
        
        PID:4580
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4580 240669531
        116⤵
        
        PID:3296
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        117⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3116
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        118⤵
        
        PID:1768
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        118⤵
        
        PID:4808
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4808 240670875
        118⤵
        
        PID:3660
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4128
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        120⤵
        Drops startup file
        
        PID:924
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        120⤵
        
        PID:4536
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4536 240672187
        120⤵
        
        PID:1560
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1884
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        122⤵
        Drops startup file
        
        PID:4568
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        122⤵
        
        PID:1100
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1100 240673437
        122⤵
        
        PID:1764
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1628
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        124⤵
        Drops startup file
        
        PID:2564
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        124⤵
        
        PID:3476
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3476 240674750
        124⤵
        
        PID:4360
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        125⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3772
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        126⤵
        
        PID:1824
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        126⤵
        
        PID:4136
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4136 240676031
        126⤵
        
        PID:4680
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        127⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        128⤵
        Drops startup file
        
        PID:1208
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        128⤵
        
        PID:4208
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4208 240677375
        128⤵
        
        PID:3028
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        129⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        130⤵
        Drops startup file
        
        PID:5016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        130⤵
        
        PID:3080
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3080 240678656
        130⤵
        
        PID:5052
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        131⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        132⤵
        
        PID:3996
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        132⤵
        
        PID:4296
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4296 240679906
        132⤵
        
        PID:4264
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        133⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        134⤵
        
        PID:2392
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        134⤵
        
        PID:2016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2016 240681156
        134⤵
        
        PID:4528
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        135⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        136⤵
        
        PID:4796
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        136⤵
        
        PID:4944
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4944 240682468
        136⤵
        
        PID:1508
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        137⤵
        
        PID:868
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        138⤵
        Drops startup file
        
        PID:4128
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        138⤵
        
        PID:3796
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3796 240683781
        138⤵
        
        PID:1856
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        139⤵
        
        PID:780
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        140⤵
        Drops startup file
        
        PID:980
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        140⤵
        
        PID:2400
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2400 240685156
        140⤵
        
        PID:1764
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        141⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        142⤵
        
        PID:4048
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        142⤵
        
        PID:3032
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3032 240686515
        142⤵
        
        PID:4852
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        143⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        144⤵
        
        PID:3256
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        144⤵
        
        PID:3076
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3076 240687734
        144⤵
        
        PID:2644
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        145⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        146⤵
        
        PID:1260
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        146⤵
        
        PID:4364
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4364 240689015
        146⤵
        
        PID:4396
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        147⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        148⤵
        Drops startup file
        
        PID:940
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        148⤵
        
        PID:4240
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4240 240690312
        148⤵
        
        PID:4368
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        149⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        150⤵
        Drops startup file
        
        PID:636
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        150⤵
        
        PID:3640
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3640 240691562
        150⤵
        
        PID:4336
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        151⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        152⤵
        
        PID:2628
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        152⤵
        
        PID:4312
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4312 240692984
        152⤵
        
        PID:1928
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        153⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        154⤵
        Drops startup file
        
        PID:1452
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        154⤵
        
        PID:2384
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2384 240694328
        154⤵
        
        PID:4788
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        155⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        156⤵
        
        PID:2012
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        156⤵
        
        PID:3692
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3692 240695562
        156⤵
        
        PID:924
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        157⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        158⤵
        
        PID:4604
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        158⤵
        
        PID:3488
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3488 240696843
        158⤵
        
        PID:3420
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        159⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        160⤵
        Drops startup file
        
        PID:3544
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        160⤵
        
        PID:2008
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2008 240698046
        160⤵
        
        PID:2184
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        161⤵
        
        PID:628
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        162⤵
        
        PID:4120
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        162⤵
        
        PID:3976
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3976 240699359
        162⤵
        
        PID:3704
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        163⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        164⤵
        
        PID:4360
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        164⤵
        
        PID:2172
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2172 240700562
        164⤵
        
        PID:4852
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        165⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        166⤵
        
        PID:3208
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        166⤵
        
        PID:3280
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3280 240701812
        166⤵
        
        PID:1428
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        167⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        168⤵
        
        PID:3984
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        168⤵
        
        PID:1720
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1720 240703093
        168⤵
        
        PID:4628
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        169⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        170⤵
        
        PID:688
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        170⤵
        
        PID:556
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 556 240704421
        170⤵
        
        PID:5052
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        171⤵
        
        PID:636
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        172⤵
        Drops startup file
        
        PID:4292
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        172⤵
        
        PID:2520
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2520 240705687
        172⤵
        
        PID:2608
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        173⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        174⤵
        Drops startup file
        
        PID:3660
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        174⤵
        
        PID:8
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 8 240707062
        174⤵
        
        PID:4008
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        175⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        176⤵
        
        PID:1692
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        176⤵
        
        PID:1936
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1936 240708265
        176⤵
        
        PID:2596
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        177⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        178⤵
        Drops startup file
        
        PID:1232
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        178⤵
        
        PID:4180
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4180 240709578
        178⤵
        
        PID:2448
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        179⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        180⤵
        
        PID:928
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        180⤵
        
        PID:440
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 440 240710828
        180⤵
        
        PID:948
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        181⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        182⤵
        
        PID:3636
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        182⤵
        
        PID:4020
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4020 240712093
        182⤵
        
        PID:1764
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        183⤵
        
        PID:804
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        184⤵
        Drops startup file
        
        PID:1404
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        184⤵
        
        PID:3704
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3704 240713390
        184⤵
        
        PID:452
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        185⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        186⤵
        Drops startup file
        
        PID:1824
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        186⤵
        
        PID:2436
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2436 240714593
        186⤵
        
        PID:3256
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        187⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        188⤵
        Drops startup file
        
        PID:456
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        188⤵
        
        PID:3404
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3404 240715906
        188⤵
        
        PID:4376
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        189⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        190⤵
        
        PID:3308
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        190⤵
        
        PID:3140
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3140 240717250
        190⤵
        
        PID:5012
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        191⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        192⤵
        Drops startup file
        
        PID:4780
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        192⤵
        
        PID:2460
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2460 240718625
        192⤵
        
        PID:220
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        193⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        194⤵
        Drops startup file
        
        PID:2628
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        194⤵
        
        PID:2044
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2044 240719859
        194⤵
        
        PID:4592
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        195⤵
        
        PID:680
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        196⤵
        
        PID:836
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        196⤵
        
        PID:4788
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4788 240721078
        196⤵
        
        PID:3016
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        197⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        198⤵
        Drops startup file
        
        PID:864
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        198⤵
        
        PID:3868
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3868 240722328
        198⤵
        
        PID:2012
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        199⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        200⤵
        Drops startup file
        
        PID:4952
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        200⤵
        
        PID:4836
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4836 240723562
        200⤵
        
        PID:388
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        201⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        202⤵
        Drops startup file
        
        PID:2888
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        202⤵
        
        PID:2184
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2184 240724765
        202⤵
        
        PID:1832
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        203⤵
        
        PID:780
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        204⤵
        Drops startup file
        
        PID:2292
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        204⤵
        
        PID:2884
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2884 240726015
        204⤵
        
        PID:3192
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        205⤵
        
        PID:536
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        206⤵
        Drops startup file
        
        PID:872
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        206⤵
        
        PID:3820
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3820 240727281
        206⤵
        
        PID:4316
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        207⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        208⤵
        Drops startup file
        
        PID:1888
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        208⤵
        
        PID:2248
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2248 240728515
        208⤵
        
        PID:3444
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        209⤵
        
        PID:456
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        210⤵
        
        PID:4148
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        210⤵
        
        PID:2456
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2456 240729750
        210⤵
        
        PID:2996
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        211⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        212⤵
        Drops startup file
        
        PID:1680
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        212⤵
        
        PID:4036
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4036 240731000
        212⤵
        
        PID:4444
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        213⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        214⤵
        Drops startup file
        
        PID:332
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        214⤵
        
        PID:3204
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3204 240732296
        214⤵
        
        PID:4116
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        215⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        216⤵
        
        PID:2364
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        216⤵
        
        PID:2692
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2692 240733515
        216⤵
        
        PID:3116
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        217⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        218⤵
        
        PID:3416
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        218⤵
        
        PID:4992
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4992 240734796
        218⤵
        
        PID:2204
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        219⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        220⤵
        Drops startup file
        
        PID:400
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        220⤵
        
        PID:840
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 840 240736062
        220⤵
        
        PID:4076
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        221⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        222⤵
        
        PID:4328
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        222⤵
        
        PID:2768
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 2768 240737406
        222⤵
        
        PID:1992
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        223⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        224⤵
        
        PID:4956
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        224⤵
        
        PID:3312
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3312 240738593
        224⤵
        
        PID:3836
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        225⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        226⤵
        Drops startup file
        
        PID:792
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        226⤵
        
        PID:368
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 368 240739859
        226⤵
        
        PID:3772
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        227⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        228⤵
        
        PID:4936
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        228⤵
        
        PID:4464
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 4464 240741062
        228⤵
        
        PID:4360
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        229⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        230⤵
        
        PID:4196
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        230⤵
        
        PID:3256
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 3256 240742281
        230⤵
        
        PID:3444
- C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2492 240593296
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 5040 240595546
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
409KB

MD5
f672d1603b04f6a1bb2c1168429768de

SHA1
7321c9d98b08b4e2a59240666a17787d583e74f0

SHA256
d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165

SHA512
21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3eec57a063ddeef5a5584bd53b072634

SHA1
4fa6792f06bf298f5a0f62de1281f10a91f71b14

SHA256
b10d3b025ce67a8180cca9f94f9d9e09db9394c4e7b3d7d64c33d990bc7eee82

SHA512
26b54d912ca3dd113a324f3d9bd45459321fee39ca942ff3b1e8d73fefa2b1e32307f90b1a858502ada1fc40e37b94b9ac7a95ba1699687e62fc88bd1aa4a428

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnrkj20t.pbs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

Filesize
158B

MD5
3cccf9435b659bf318d80f780097ffbf

SHA1
f0af7b20ad3498befcc19d90c0c1c7d4f021e77f

SHA256
a5c69769ed69652017de0ac5b2b49978af9580a67f0ce473742fc3a04c00a86a

SHA512
d28c78ce84c518b8446aaa2b10bced63c7877b969abdcc0d3b65251123c1472f66598935de7facab9f5608c2bdc01b03156b00413687ee40b272c1b307e29b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

Filesize
99B

MD5
22965bf780a1f6765b8c4f592ac43af6

SHA1
99c91c1351f21ab92cbc028da05b8bcb7e007f76

SHA256
cfaa7ab524373e22fe317556e030491cd71d85db67f96692711178e38f377799

SHA512
77327ea6a9d361c37997188d87a43d7ede626d78f7d22046d2b43f654f2133165263ac5919930f97251097febd0cf836dca17270c87048d581f6c359fc079988

Download Submit
memory/368-208-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/432-3-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/432-4-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/432-2-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/432-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/432-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/732-241-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1208-89-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1208-86-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1208-87-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1208-85-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1208-84-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1592-122-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/1592-121-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/1852-80-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1852-61-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1852-38-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1912-212-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1968-7-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2492-14-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2492-9-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2492-5-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2492-23-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2984-57-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2984-53-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2984-58-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2984-64-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3004-194-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3196-218-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3484-78-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3484-141-0x0000000007B80000-0x0000000007B94000-memory.dmp

Filesize
80KB

Download
memory/3484-66-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3484-67-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3484-65-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3484-140-0x0000000007B70000-0x0000000007B7E000-memory.dmp

Filesize
56KB

Download
memory/3484-138-0x0000000007B40000-0x0000000007B51000-memory.dmp

Filesize
68KB

Download
memory/3484-62-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/3484-77-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/3484-136-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/3484-135-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/3484-125-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/3484-124-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/3484-59-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3484-115-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/3484-79-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/3484-52-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3484-51-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/3484-123-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3484-118-0x0000000007800000-0x00000000078A3000-memory.dmp

Filesize
652KB

Download
memory/3484-48-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/3484-119-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3484-117-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3484-116-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3484-102-0x0000000006BD0000-0x0000000006C02000-memory.dmp

Filesize
200KB

Download
memory/3484-104-0x0000000074580000-0x00000000745CC000-memory.dmp

Filesize
304KB

Download
memory/3484-103-0x000000007FB10000-0x000000007FB20000-memory.dmp

Filesize
64KB

Download
memory/3552-137-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3812-156-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3812-98-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4016-99-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4016-105-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4016-100-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4016-101-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4016-94-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4048-177-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4264-228-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4520-32-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4520-49-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4520-47-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4520-35-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4520-39-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4568-30-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4568-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4568-27-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4568-28-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4568-37-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4604-164-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4628-63-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4628-42-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4628-56-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4628-45-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4676-189-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4900-235-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4908-11-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4908-12-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4908-15-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/4908-16-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4908-10-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5040-60-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/5040-120-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download