7d5ea8cb79035f9855711f891d0eb7be47033c43ace219e70f8bb5d51e3e0f7e

Analysis

max time kernel
143s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe
Size

496KB
MD5

249148f74e2f1fe28f274d45f876b5cd
SHA1

9f8411885962c8c92619bef3fc57f21c828bad42
SHA256

7d5ea8cb79035f9855711f891d0eb7be47033c43ace219e70f8bb5d51e3e0f7e
SHA512

a1ccd117b0a5fe0f23a9ff41cb09c2d4e4bce098020ac5e2220b1375a2d1a1d29f57d3f3a28ac72e0e742b77a3b61e4ffffe34a1650ab9417a562d9dbbeeabda
SSDEEP

6144:Dr3HjxgAJJej39c8SluXWAqlu/ol89tE16gEelSowQb3:Dr3HjpQ39c83E1EemQb3

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cerberus = "C:\\Windows\\system32\\catroot4\\winsvr32.exe"	90387.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90387.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cerberus = "C:\\Windows\\system32\\catroot4\\winsvr32.exe"	90387.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}	90387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}\StubPath = "C:\\Windows\\system32\\catroot4\\winsvr32.exe Restart"	90387.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	90387.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winsvr32.exe

Executes dropped EXE 64 IoCs

pid	Process
1800	90387.exe
1508	90387.exe
4076	winsvr32.exe
1560	winsvr32.exe
4392	winsvr32.exe
2500	winsvr32.exe
2564	winsvr32.exe
1924	winsvr32.exe
5080	winsvr32.exe
3220	winsvr32.exe
4276	winsvr32.exe
2056	winsvr32.exe
2716	winsvr32.exe
4296	winsvr32.exe
2972	winsvr32.exe
4440	winsvr32.exe
3208	winsvr32.exe
4344	winsvr32.exe
744	winsvr32.exe
3096	winsvr32.exe
4556	winsvr32.exe
3348	winsvr32.exe
5060	winsvr32.exe
1688	winsvr32.exe
4384	winsvr32.exe
2608	winsvr32.exe
1140	winsvr32.exe
4684	winsvr32.exe
1784	winsvr32.exe
3004	winsvr32.exe
940	winsvr32.exe
1692	winsvr32.exe
4084	winsvr32.exe
2980	winsvr32.exe
4296	winsvr32.exe
4324	winsvr32.exe
3496	winsvr32.exe
2184	winsvr32.exe
2980	winsvr32.exe
5052	winsvr32.exe
3888	winsvr32.exe
4824	winsvr32.exe
2936	winsvr32.exe
1920	winsvr32.exe
2028	winsvr32.exe
3488	winsvr32.exe
2472	winsvr32.exe
812	winsvr32.exe
2248	winsvr32.exe
3512	winsvr32.exe
1496	winsvr32.exe
3792	winsvr32.exe
2336	winsvr32.exe
680	winsvr32.exe
4544	winsvr32.exe
4408	winsvr32.exe
3792	winsvr32.exe
1224	winsvr32.exe
4600	winsvr32.exe
3476	winsvr32.exe
4608	winsvr32.exe
840	winsvr32.exe
5048	winsvr32.exe
4772	winsvr32.exe

Loads dropped DLL 64 IoCs

pid	Process
4944	winsvr32.exe
2920	winsvr32.exe
4472	winsvr32.exe
3756	winsvr32.exe
3236	winsvr32.exe
4384	winsvr32.exe
216	winsvr32.exe
4904	winsvr32.exe
1180	winsvr32.exe
2060	winsvr32.exe
2240	winsvr32.exe
2028	winsvr32.exe
4592	winsvr32.exe
4408	winsvr32.exe
4832	winsvr32.exe
2376	winsvr32.exe
4596	winsvr32.exe
2272	winsvr32.exe
4296	winsvr32.exe
4956	winsvr32.exe
4320	winsvr32.exe
2084	winsvr32.exe
2240	winsvr32.exe
4340	winsvr32.exe
3596	winsvr32.exe
4584	winsvr32.exe
4472	winsvr32.exe
1508	winsvr32.exe
2584	winsvr32.exe
4384	winsvr32.exe
3616	winsvr32.exe
3064	winsvr32.exe
3504	winsvr32.exe
4912	winsvr32.exe
2600	winsvr32.exe
2244	winsvr32.exe
1776	winsvr32.exe
5016	winsvr32.exe
3304	winsvr32.exe
4340	winsvr32.exe
2972	winsvr32.exe
3724	winsvr32.exe
3560	winsvr32.exe
3640	winsvr32.exe
3088	winsvr32.exe
2520	winsvr32.exe
2932	winsvr32.exe
2912	winsvr32.exe
4240	winsvr32.exe
3288	winsvr32.exe
4268	winsvr32.exe
1048	winsvr32.exe
4024	winsvr32.exe
1152	winsvr32.exe
3864	winsvr32.exe
5076	winsvr32.exe
2576	winsvr32.exe
4544	winsvr32.exe
3704	winsvr32.exe
684	winsvr32.exe
5016	winsvr32.exe
4904	winsvr32.exe
4676	winsvr32.exe
3968	winsvr32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023422-9.dat	upx
behavioral2/memory/1800-10-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1508-35-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1508-67-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral2/memory/1508-94-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral2/memory/4076-79-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1800-64-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1508-62-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral2/memory/1800-58-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral2/memory/1800-11-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral2/memory/4076-147-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1560-215-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2500-231-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2500-284-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1924-299-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1924-353-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3220-421-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4276-437-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4276-490-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2056-505-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2056-559-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2716-575-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2716-628-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4296-644-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4296-697-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2972-765-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3208-833-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/744-848-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/744-902-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3096-917-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3096-971-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4556-987-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4556-1040-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3348-1108-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5060-1176-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1688-1192-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1688-1245-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2608-1313-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1140-1329-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1140-1382-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4684-1398-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4684-1451-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3004-1467-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3004-1520-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/940-1535-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/940-1589-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4084-1605-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4084-1658-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2980-1673-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2980-1727-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4324-1743-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4324-1796-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3496-1812-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3496-1865-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2184-1881-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2184-1934-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2980-2002-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5052-2070-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3888-2137-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2936-2151-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2936-2204-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1920-2219-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1920-2271-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3488-2337-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cerberus = "C:\\Windows\\system32\\catroot4\\winsvr32.exe"	90387.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cerberus = "C:\\Windows\\system32\\catroot4\\winsvr32.exe"	90387.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\catroot4\winsvr32.exe	90387.exe
File opened for modification	C:\Windows\SysWOW64\catroot4\winsvr32.exe	90387.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2588	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	90387.exe
Token: SeDebugPrivilege	1800	90387.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	4076	winsvr32.exe
Token: SeDebugPrivilege	4076	winsvr32.exe
Token: SeDebugPrivilege	1560	winsvr32.exe
Token: SeDebugPrivilege	1560	winsvr32.exe
Token: SeDebugPrivilege	2500	winsvr32.exe
Token: SeDebugPrivilege	2500	winsvr32.exe
Token: SeDebugPrivilege	1924	winsvr32.exe
Token: SeDebugPrivilege	1924	winsvr32.exe
Token: SeDebugPrivilege	3220	winsvr32.exe
Token: SeDebugPrivilege	3220	winsvr32.exe
Token: SeDebugPrivilege	4276	winsvr32.exe
Token: SeDebugPrivilege	4276	winsvr32.exe
Token: SeDebugPrivilege	2056	winsvr32.exe
Token: SeDebugPrivilege	2056	winsvr32.exe
Token: SeDebugPrivilege	2716	winsvr32.exe
Token: SeDebugPrivilege	2716	winsvr32.exe
Token: SeDebugPrivilege	4296	winsvr32.exe
Token: SeDebugPrivilege	4296	winsvr32.exe
Token: SeDebugPrivilege	2972	winsvr32.exe
Token: SeDebugPrivilege	2972	winsvr32.exe
Token: SeDebugPrivilege	3208	winsvr32.exe
Token: SeDebugPrivilege	3208	winsvr32.exe
Token: SeDebugPrivilege	744	winsvr32.exe
Token: SeDebugPrivilege	744	winsvr32.exe
Token: SeDebugPrivilege	3096	winsvr32.exe
Token: SeDebugPrivilege	3096	winsvr32.exe
Token: SeDebugPrivilege	4556	winsvr32.exe
Token: SeDebugPrivilege	4556	winsvr32.exe
Token: SeDebugPrivilege	3348	winsvr32.exe
Token: SeDebugPrivilege	3348	winsvr32.exe
Token: SeDebugPrivilege	5060	winsvr32.exe
Token: SeDebugPrivilege	5060	winsvr32.exe
Token: SeDebugPrivilege	1688	winsvr32.exe
Token: SeDebugPrivilege	1688	winsvr32.exe
Token: SeDebugPrivilege	2608	winsvr32.exe
Token: SeDebugPrivilege	2608	winsvr32.exe
Token: SeDebugPrivilege	1140	winsvr32.exe
Token: SeDebugPrivilege	1140	winsvr32.exe
Token: SeDebugPrivilege	4684	winsvr32.exe
Token: SeDebugPrivilege	4684	winsvr32.exe
Token: SeDebugPrivilege	3004	winsvr32.exe
Token: SeDebugPrivilege	3004	winsvr32.exe
Token: SeDebugPrivilege	940	winsvr32.exe
Token: SeDebugPrivilege	940	winsvr32.exe
Token: SeDebugPrivilege	4084	winsvr32.exe
Token: SeDebugPrivilege	4084	winsvr32.exe
Token: SeDebugPrivilege	2980	winsvr32.exe
Token: SeDebugPrivilege	2980	winsvr32.exe
Token: SeDebugPrivilege	4324	winsvr32.exe
Token: SeDebugPrivilege	4324	winsvr32.exe
Token: SeDebugPrivilege	3496	winsvr32.exe
Token: SeDebugPrivilege	3496	winsvr32.exe
Token: SeDebugPrivilege	2184	winsvr32.exe
Token: SeDebugPrivilege	2184	winsvr32.exe
Token: SeDebugPrivilege	2980	winsvr32.exe
Token: SeDebugPrivilege	2980	winsvr32.exe
Token: SeDebugPrivilege	5052	winsvr32.exe
Token: SeDebugPrivilege	5052	winsvr32.exe
Token: SeDebugPrivilege	3888	winsvr32.exe
Token: SeDebugPrivilege	3888	winsvr32.exe
Token: SeDebugPrivilege	2936	winsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1800	1808	249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe	81
PID 1808 wrote to memory of 1800	1808	249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe	81
PID 1808 wrote to memory of 1800	1808	249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe	81
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82
PID 1800 wrote to memory of 1508	1800	90387.exe	82

C:\Users\Admin\AppData\Local\Temp\249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\249148f74e2f1fe28f274d45f876b5cd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\90387.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\90387.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\90387.exe
    C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\90387.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:1508
  - - C:\Windows\SysWOW64\catroot4\winsvr32.exe
      "C:\Windows\system32\catroot4\winsvr32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4076
    - - C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        5⤵
        Loads dropped DLL
        
        PID:4944
      - C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        7⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        11⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        13⤵
        Loads dropped DLL
        
        PID:2920
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        15⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4472
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        17⤵
        Loads dropped DLL
        
        PID:3756
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        19⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3236
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        21⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4384
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        25⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        27⤵
        Loads dropped DLL
        
        PID:216
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        29⤵
        Loads dropped DLL
        
        PID:4904
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        31⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:1180
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        33⤵
        Loads dropped DLL
        
        PID:2060
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        35⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        39⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2028
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        41⤵
        Loads dropped DLL
        
        PID:4592
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        43⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        45⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4408
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        49⤵
        Loads dropped DLL
        
        PID:4832
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        53⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2376
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        55⤵
        Loads dropped DLL
        
        PID:4596
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        57⤵
        Loads dropped DLL
        
        PID:2272
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        59⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4296
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        61⤵
        Loads dropped DLL
        
        PID:4956
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        63⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        65⤵
        Loads dropped DLL
        
        PID:4320
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        66⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        68⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        69⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2084
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        70⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        71⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        72⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        73⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4340
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        74⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        75⤵
        Loads dropped DLL
        
        PID:3596
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        76⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        77⤵
        Loads dropped DLL
        
        PID:4584
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        78⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        79⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4472
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        80⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        81⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:1508
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        82⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        83⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        84⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        85⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4384
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        86⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        87⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        88⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        89⤵
        Loads dropped DLL
        
        PID:3616
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        90⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        91⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        92⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        94⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        95⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        96⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        97⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        98⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        99⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        100⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        101⤵
        Checks computer location settings
        
        PID:1516
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        102⤵
        
        PID:436
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        103⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        104⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        105⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3504
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        106⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        107⤵
        
        PID:872
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        108⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        109⤵
        Loads dropped DLL
        
        PID:4912
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        110⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        111⤵
        Loads dropped DLL
        
        PID:2600
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        112⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        113⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2244
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        114⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        115⤵
        Loads dropped DLL
        
        PID:1776
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        116⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        117⤵
        Checks computer location settings
        
        PID:4136
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        118⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        119⤵
        Loads dropped DLL
        
        PID:5016
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        120⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        121⤵
        Loads dropped DLL
        
        PID:3304
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        122⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        123⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4340
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        124⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        125⤵
        Loads dropped DLL
        
        PID:2972
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        126⤵
        
        PID:928
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        127⤵
        Loads dropped DLL
        
        PID:3724
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        128⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        129⤵
        Loads dropped DLL
        
        PID:3560
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        130⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        131⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3640
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        132⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        133⤵
        
        PID:552
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        134⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        135⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        136⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        137⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3088
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        138⤵
        
        PID:956
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        139⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        140⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        141⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2932
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        142⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        143⤵
        Loads dropped DLL
        
        PID:2912
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        144⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        145⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4240
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        146⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        147⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        148⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        149⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        150⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        151⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        152⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        153⤵
        Loads dropped DLL
        
        PID:3288
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        154⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        155⤵
        Loads dropped DLL
        
        PID:4268
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        156⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        157⤵
        Loads dropped DLL
        
        PID:1048
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        158⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        159⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4024
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        160⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        161⤵
        
        PID:996
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        162⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        163⤵
        Loads dropped DLL
        
        PID:1152
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        164⤵
        
        PID:884
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        165⤵
        Loads dropped DLL
        
        PID:3864
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        166⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        167⤵
        Loads dropped DLL
        
        PID:5076
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        168⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        169⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:2576
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        170⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        171⤵
        Loads dropped DLL
        
        PID:4544
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        172⤵
        
        PID:744
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        173⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3704
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        174⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        175⤵
        Loads dropped DLL
        
        PID:684
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        176⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        177⤵
        Loads dropped DLL
        
        PID:5016
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        178⤵
        
        PID:928
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        179⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:4904
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        180⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        181⤵
        Loads dropped DLL
        
        PID:4676
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        182⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        183⤵
        Loads dropped DLL
        
        PID:3968
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        184⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        185⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        186⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        187⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        188⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        189⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        190⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        191⤵
        Checks computer location settings
        
        PID:996
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        192⤵
        
        PID:860
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        193⤵
        Checks computer location settings
        
        PID:1996
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        194⤵
        
        PID:744
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        195⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        196⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        197⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        198⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        199⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        200⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        201⤵
        Checks computer location settings
        
        PID:4312
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        202⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        203⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        204⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        205⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        206⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        207⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        208⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        209⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        210⤵
        
        PID:380
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        211⤵
        Checks computer location settings
        
        PID:960
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        212⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        213⤵
        Checks computer location settings
        
        PID:3504
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        214⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        215⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        216⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        217⤵
        
        PID:932
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        218⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        219⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        220⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        221⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        222⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        223⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        224⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        225⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        226⤵
        
        PID:932
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        227⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        228⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        229⤵
        Checks computer location settings
        
        PID:1652
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        230⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        231⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        232⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        233⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        234⤵
        
        PID:680
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        235⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        236⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        237⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        238⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        239⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        240⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        241⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        242⤵
        
        PID:716
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        243⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        244⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        245⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        246⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        247⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        248⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        249⤵
        
        PID:832
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        250⤵
        
        PID:436
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        251⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        252⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        253⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        254⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        255⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        256⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        257⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        258⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        259⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        260⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        261⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        262⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        263⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        264⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        265⤵
        Checks computer location settings
        
        PID:1604
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        266⤵
        
        PID:880
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        267⤵
        
        PID:540
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        268⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        269⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        270⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        271⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        272⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        273⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        274⤵
        
        PID:464
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        275⤵
        Checks computer location settings
        
        PID:2088
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        276⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        277⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        278⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        279⤵
        
        PID:940
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        280⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        281⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        282⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        283⤵
        Checks computer location settings
        
        PID:2212
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        284⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        285⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        286⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        287⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        288⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        289⤵
        Checks computer location settings
        
        PID:1216
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        290⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        291⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        292⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        293⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        294⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        295⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        296⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        297⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        298⤵
        
        PID:460
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        299⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        300⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        301⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        302⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        303⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        304⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        305⤵
        Checks computer location settings
        
        PID:2456
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        306⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        307⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        308⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        309⤵
        Checks computer location settings
        
        PID:4900
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        310⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        311⤵
        Checks computer location settings
        
        PID:840
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        312⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        313⤵
        
        PID:696
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        314⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        315⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        316⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        317⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        318⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        319⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        320⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        321⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        322⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        323⤵
        Checks computer location settings
        
        PID:1832
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        324⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        325⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        326⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        327⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        328⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        329⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        330⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        331⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        332⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        333⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        334⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        335⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        336⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        337⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        338⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        339⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        340⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        341⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        342⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        343⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        344⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        345⤵
        Checks computer location settings
        
        PID:1496
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        346⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        347⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        348⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        349⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        350⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        351⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        352⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        353⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        354⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        355⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        356⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        357⤵
        Checks computer location settings
        
        PID:4272
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        358⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        359⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        360⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        361⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        362⤵
        
        PID:772
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        363⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        364⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        365⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        366⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        367⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        368⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        369⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        370⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        371⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        372⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        373⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        374⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        375⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        376⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        377⤵
        
        PID:428
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        "C:\Windows\system32\catroot4\winsvr32.exe"
        378⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        
        C:\Windows\SysWOW64\catroot4\winsvr32.exe
        379⤵
        
        PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\melt.bat
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /T /IM JCV1
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\90387.exe

Filesize
83KB

MD5
8569ddfbde53efbe240827f1f2d6c948

SHA1
53f71968c814986ee6e431ee5fe21081e17d5160

SHA256
024c9f46ede23682fa7e5ab69337321e1681672ca05097d41bcfb081e5d510a7

SHA512
976034d5305009c04488470f0e27283048e9aa869e242c57109833e2ef81bf2e0c5b1e123db2dfd437b431ecf1be9050177eed7ad5d1a42ee8be9c6ee8d1501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
115B

MD5
39c630b300332297fa8ea3b9a3a2f21d

SHA1
eb752f02f966d06775c6e9f177c54e84a4117d62

SHA256
a148d9c069dd6e984df061489eef43f9ef88a44aa83061a5252c5587d710a833

SHA512
aab861538903a2ee4fbc57b5258a3dd7f8444d2bbe3445b81aedec916c58bbdb7eb91c605132964ee545c48d8633e66c9b1bd60bd9ed11247ae5c31afa178bf7

Download Submit
memory/680-2870-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/744-902-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/744-848-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/812-2419-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/812-2471-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/940-1589-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/940-1535-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1140-1382-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1140-1329-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-3019-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1224-3071-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-2606-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-2671-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1508-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1508-67-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1508-61-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1508-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1508-62-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1508-13-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1508-94-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1560-215-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-1192-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-1245-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1800-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1800-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1800-11-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1800-58-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1808-0-0x00007FFA71965000-0x00007FFA71966000-memory.dmp

Filesize
4KB

Download
memory/1808-70-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1808-5-0x000000001BD90000-0x000000001BE2C000-memory.dmp

Filesize
624KB

Download
memory/1808-2-0x000000001B6E0000-0x000000001BBAE000-memory.dmp

Filesize
4.8MB

Download
memory/1808-1-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1808-4-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1808-3-0x000000001BBB0000-0x000000001BC56000-memory.dmp

Filesize
664KB

Download
memory/1920-2271-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1920-2219-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-299-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-505-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2056-559-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2184-1881-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2184-1934-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-2486-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-2538-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-2804-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-2751-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-2404-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-2352-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2500-284-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2500-231-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-3287-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-3339-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2608-1313-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-575-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-628-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-2204-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2936-2151-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-765-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2980-1673-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2980-1727-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2980-2002-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-1520-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-1467-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3096-971-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3096-917-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3208-833-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3220-421-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3348-1108-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3488-2337-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3496-1812-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3496-1865-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-2604-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3792-3004-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3792-2952-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3792-2737-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3888-2137-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4076-147-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4076-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4084-1658-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4084-1605-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4276-490-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4276-437-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4296-697-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4296-644-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4324-1796-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4324-1743-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4544-2885-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4544-2937-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4556-1040-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4556-987-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4556-3406-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4556-3354-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4600-3086-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4600-3138-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4608-3205-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4608-3153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4684-1451-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4684-1398-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5048-3220-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5048-3272-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5052-2070-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5060-1176-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads