berbew | 6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc

Resubmissions

19-09-2024 12:52

240919-p4ffqazdpn 10

Analysis

max time kernel
17s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-09-2024 12:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

magic.exe
Size

36.7MB
MD5

f921e16ca321bbe2e490f036f8b99c74
SHA1

6e25638b340ba77f3e467bbbdc27c48209e193af
SHA256

6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc
SHA512

04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274
SSDEEP

786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Injmcmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alcfei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eidlnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	240919-pte27syhmr_41eeb0d9d9dc541a94a91971823e382209dd24490911f8ab5fc09cc929578a83N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcikgacl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kqphfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlimed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopocbcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmbbejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikkpgafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpfepf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nccokk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacoqnci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpjbq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjpnlbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcecjmkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmiclo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohmhmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dblgpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejalcgkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjichj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfgjjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjmfjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkconn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bohbhmfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdjfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgpmmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgcpokp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blhpqhlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgeno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmdecbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefjii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdobnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfendmoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hienlpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hginecde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkohaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcegi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonoao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkoigdom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbaonae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljobpiql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmbee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdaociml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphphj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adndoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hienlpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hginecde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epikpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnpabe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcalieg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdaociml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhkbfme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccbadp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvkmxleu.dll = "{D3112B69-A745-4805-874E-ABD480EA1299}"	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcpojd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000200000002b1af-4815.dat	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000002b0f4-4148.dat	family_xworm

Detects MyDoom family 2 IoCs

resource	yara_rule
behavioral2/memory/5532-1767-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5296-1629-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe"	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\ntsock.exe"	ntsock.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dsh.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dsh.exe

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	13916	2296	schtasks.exe	486
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	13764	2296	schtasks.exe	486
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	18648	2296	schtasks.exe	486
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	18596	2296	schtasks.exe	486

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4400-1784-0x0000000000FB0000-0x0000000001082000-memory.dmp	dcrat
behavioral2/files/0x000200000002b227-5324.dat	dcrat

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/files/0x000100000002b2ac-6089.dat	xmrig

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2104	240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe
2084	240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe
3448	omsecor.exe
1500	Alnmjjdb.exe
4152	Achegd32.exe
2164	Afgacokc.exe
2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
2532	Alqjpi32.exe
4616	Ajdjin32.exe
4856	240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe
3904	Alcfei32.exe
4500	240919-prn74aycpb_eb57ee819c3e9840314784fb48e53c74_JaffaCakes118.exe
3740	240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp
4652	Aoabad32.exe
1744	Abponp32.exe
4476	Aleckinj.exe
4872	240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe
2472	Blhpqhlh.exe
244	Bkmmaeap.exe
2528	Bbgeno32.exe
1112	240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
2976	Bfbaonae.exe
1948	Bkoigdom.exe
4220	240919-pjqqysydnj_eb52a85af6c9d34ae4faa120e2ca0b40_JaffaCakes118.exe
2296	Bfendmoc.exe
2376	tazebama.dl_
4468	240919-p2x8rayhkc_0db31fe824a882de227a91563095589554d7bc53393b50d3e6f323d6ad4261d3N.exe
3364	Bfgjjm32.exe
1900	Bopocbcq.exe
2648	Bopocbcq.exe
1080	Cobkhb32.exe
2988	Ckilmcgb.exe
5116	Codhnb32.exe
5344	Ccbadp32.exe
5384	Cbeapmll.exe
5480	Ccdnjp32.exe
5696	Cmmbbejp.exe
5736	Coknoaic.exe
5804	Dkbocbog.exe
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
5880	Dblgpl32.exe
5920	Djcoai32.exe
6100	Djelgied.exe
1508	Dpbdopck.exe
4724	Dcnqpo32.exe
4932	240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
352	Dfoiaj32.exe
5432	Dimenegi.exe
5288	Dmhand32.exe
5452	Elnoopdj.exe
5780	Epikpo32.exe
5652	Ecefqnel.exe
5724	240919-pxkrvsyfka_2832-6-0x0000000000400000-0x000000000044A000-memory.dmp
2660	Ebjcajjd.exe
4980	Ejalcgkg.exe
5904	Eidlnd32.exe
6128	240919-pt4essydrd_d00a6cfc8751292697cf37afee755de814ef6ecbdf8c71648e638f03afa13381N.exe
248	240919-prcjasygnj_5e2395dce1bb61098d55c6df2541071ca8f8c825b5aa9ce3b8afabcdeff4c504N.exe
4104	240919-ps5lgaydmh_eb58d8799071c166971828940bdf87dc_JaffaCakes118.exe
4528	240919-pyhc5azbnl_806cd24fa66b07ec7bc6deda153a3b155938cd4e88bbdd5ce59f18e7936d751dN.exe
5280	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
5296	240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
3084	240919-prnxbsygpl_8ecf30082527af945cc7df7dd2567a0838e611177a6f94bfa9ceb768e1b3cd15N.exe
544	240919-pqzx7sycmb_eb5761c410b5139f23235e9b67964495_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
236	magic.exe
1112	240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
1112	240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
1112	240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
2964	WerFault.exe
4932	240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
5716	WerFault.exe
6112	WerFault.exe
3084	240919-prnxbsygpl_8ecf30082527af945cc7df7dd2567a0838e611177a6f94bfa9ceb768e1b3cd15N.exe
5176	240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
5516	240919-pnhk5syfkl_KZ710-0038.exe
4104	240919-ps5lgaydmh_eb58d8799071c166971828940bdf87dc_JaffaCakes118.exe
4620	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
544	240919-pqzx7sycmb_eb5761c410b5139f23235e9b67964495_JaffaCakes118.exe
5508	240919-pm286ayeqp_eb54f091b05a95511601e2f9f9771bae_JaffaCakes118.exe
3824	240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
6460	vbc.exe
6500	uboot.bin
7776	Rundll32.exe
5516	240919-pnhk5syfkl_KZ710-0038.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dsh.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2108-1138-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/6300-1769-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5532-1767-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4620-1765-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5296-1629-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1112-1453-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/2108-1151-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/4220-1216-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/2108-1158-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/1112-1191-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/7040-2269-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6460-2264-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/files/0x000100000002b0f7-3600.dat	upx
behavioral2/files/0x000100000002b2ac-6089.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 13 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\Downloads\\240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe"	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winabc = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\uboot.dll,abcLaunchEv"	uboot.bin
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-AYRCHN = "\"C:\\Users\\Admin\\AppData\\Roaming\\yava_explore.exe\""	240919-pncpwsyfjk_documents-pdf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\K:	dsh.exe
File opened (read-only)	\??\N:	dsh.exe
File opened (read-only)	\??\U:	dsh.exe
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\P:	dsh.exe
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\R:	dsh.exe
File opened (read-only)	\??\Y:	dsh.exe
File opened (read-only)	\??\T:	dsh.exe
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\G:	dsh.exe
File opened (read-only)	\??\J:	dsh.exe
File opened (read-only)	\??\O:	dsh.exe
File opened (read-only)	\??\B:	dsh.exe
File opened (read-only)	\??\E:	dsh.exe
File opened (read-only)	\??\H:	dsh.exe
File opened (read-only)	\??\I:	dsh.exe
File opened (read-only)	\??\L:	dsh.exe
File opened (read-only)	\??\V:	dsh.exe
File opened (read-only)	\??\X:	dsh.exe
File opened (read-only)	\??\W:	dsh.exe
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\S:	dsh.exe
File opened (read-only)	\??\Z:	dsh.exe
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\E:	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
File opened (read-only)	\??\Q:	dsh.exe
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\M:	dsh.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
1	discord.com
2	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
212	api.2ip.ua
218	checkip.dyndns.org
211	api.2ip.ua

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfklem32.dll	Phfjcf32.exe
File opened for modification	C:\Windows\SysWOW64\Alcfei32.exe	Ajdjin32.exe
File created	C:\Windows\SysWOW64\Aoabad32.exe	240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe
File created	C:\Windows\SysWOW64\Bbgeno32.exe	240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe
File created	C:\Windows\SysWOW64\Lepglifa.dll	Dblgpl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpbin32.exe	Idkkpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjkblhfo.exe	Ljobpiql.exe
File created	C:\Windows\SysWOW64\Ifhahnbj.dll	Fjohde32.exe
File opened for modification	C:\Windows\SysWOW64\Lknojl32.exe	Kkgiimng.exe
File created	C:\Windows\SysWOW64\Cjibekmc.dll	Maggnali.exe
File created	C:\Windows\SysWOW64\Cmmbbejp.exe	Ccbadp32.exe
File created	C:\Windows\SysWOW64\Eifhdd32.exe	Ebjcajjd.exe
File created	C:\Windows\SysWOW64\Injmcmej.exe	Hienlpel.exe
File created	C:\Windows\SysWOW64\Plopnh32.dll	Neqopnhb.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbcj32.exe	Aamknj32.exe
File created	C:\Windows\SysWOW64\Mmjpbc32.dll	Alnfpcag.exe
File created	C:\Windows\SysWOW64\Ncliqp32.dll	Epikpo32.exe
File created	C:\Windows\SysWOW64\Hkbado32.dll	Hlambk32.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	dsh.exe
File created	C:\Windows\SysWOW64\Ffchaq32.dll	Aogiap32.exe
File created	C:\Windows\SysWOW64\Alelqb32.exe	Alnfpcag.exe
File opened for modification	C:\Windows\SysWOW64\Aphblj32.dll	Bochmn32.exe
File opened for modification	C:\Windows\SysWOW64\Afgacokc.exe	Achegd32.exe
File created	C:\Windows\SysWOW64\Injmlc32.dll	Djcoai32.exe
File opened for modification	C:\Windows\SysWOW64\Ikbfgppo.exe	Ipflihfq.exe
File created	C:\Windows\SysWOW64\Kqphfe32.exe	Jlkipgpe.exe
File created	C:\Windows\SysWOW64\Lafnnj32.dll	Kmdlffhj.exe
File created	C:\Windows\SysWOW64\Ljobpiql.exe	Kgipcogp.exe
File opened for modification	C:\Windows\SysWOW64\Chnbbqpn.exe	Cbpajgmf.exe
File opened for modification	C:\Windows\SysWOW64\Blhpqhlh.exe	Abponp32.exe
File created	C:\Windows\SysWOW64\Enhodk32.dll	Plmmif32.exe
File created	C:\Windows\SysWOW64\Onpjichj.exe	Nlcalieg.exe
File created	C:\Windows\SysWOW64\Jfniqp32.dll	Naecop32.exe
File created	C:\Windows\SysWOW64\Dfoiaj32.exe	Djelgied.exe
File created	C:\Windows\SysWOW64\Eleepoob.exe	Eidlnd32.exe
File created	C:\Windows\SysWOW64\Lmpkadnm.exe	Kmieae32.exe
File created	C:\Windows\SysWOW64\Mnhkbfme.exe	Lkeekk32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcalieg.exe	Mnhkbfme.exe
File created	C:\Windows\SysWOW64\Neqopnhb.exe	Mmbanbmg.exe
File opened for modification	C:\Windows\SysWOW64\Bhpfqcln.exe	Albpkc32.exe
File created	C:\Windows\SysWOW64\Jfhepbll.dll	Cmmbbejp.exe
File opened for modification	C:\Windows\SysWOW64\Hpjmnjqn.exe	Gfkbde32.exe
File created	C:\Windows\SysWOW64\Pgapfg32.dll	Codhnb32.exe
File created	C:\Windows\SysWOW64\Gpcfmkff.exe	240919-prr9raygpm_4d6281b866aeaf5b5c58f3fe792e2b9ff4a022b449a48e2b417fb045a353dbcaN.exe
File created	C:\Windows\SysWOW64\Kiljgf32.dll	Cfipef32.exe
File opened for modification	C:\Windows\SysWOW64\Pldcjeia.exe	Odmbaj32.exe
File opened for modification	C:\Windows\SysWOW64\Chglab32.exe	Bebjdgmj.exe
File created	C:\Windows\SysWOW64\Ckilmcgb.exe	Bopocbcq.exe
File created	C:\Windows\SysWOW64\Fdnpclpq.dll	Ikbfgppo.exe
File opened for modification	C:\Windows\SysWOW64\Ljobpiql.exe	Kgipcogp.exe
File created	C:\Windows\SysWOW64\Lqkgbcff.exe	Kjmfjj32.exe
File created	C:\Windows\SysWOW64\Lqpamb32.exe	Jlhljhbg.exe
File opened for modification	C:\Windows\SysWOW64\Oacoqnci.exe	Naecop32.exe
File created	C:\Windows\SysWOW64\Gdaociml.exe	240919-pte27syhmr_41eeb0d9d9dc541a94a91971823e382209dd24490911f8ab5fc09cc929578a83N.exe
File created	C:\Windows\SysWOW64\Qnidao32.dll	Hlcjhkdp.exe
File opened for modification	C:\Windows\SysWOW64\Jnlbojee.exe	Ikpjbq32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdnjp32.exe	Ckilmcgb.exe
File opened for modification	C:\Windows\SysWOW64\Igbalblk.exe	Hginecde.exe
File created	C:\Windows\SysWOW64\Iaqdae32.dll	Gdaociml.exe
File created	C:\Windows\SysWOW64\Jbkfjo32.dll	Mjkblhfo.exe
File created	C:\Windows\SysWOW64\Mncilb32.dll	Bkjiao32.exe
File created	C:\Windows\SysWOW64\Nbenoa32.dll	Cdlqqcnl.exe
File created	C:\Windows\SysWOW64\Lnnlhc32.dll	240919-prr9raygpm_4d6281b866aeaf5b5c58f3fe792e2b9ff4a022b449a48e2b417fb045a353dbcaN.exe
File opened for modification	C:\Windows\SysWOW64\Enhodk32.dll	Ojgjndno.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 248 set thread context of 6460	248	240919-prcjasygnj_5e2395dce1bb61098d55c6df2541071ca8f8c825b5aa9ce3b8afabcdeff4c504N.exe	180

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	dsh.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	dsh.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	dsh.exe
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	dsh.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	dsh.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	dsh.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	dsh.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
File created	C:\Windows\services.exe	240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
File opened for modification	C:\Windows\java.exe	240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
File created	C:\Windows\java.exe	240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
File opened for modification	\??\c:\Windows\BJ.exe	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
File opened for modification	C:\Windows\SYSTEM.INI	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
File created	C:\Windows\ntsocks.dll	ntboot.bin
File created	C:\Windows\java.exe	240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
File created	\??\c:\Windows\BJ.exe	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
File created	\??\c:\Windows\svchest425075242507520.exe	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
File opened for modification	\??\c:\Windows\svchest425075242507520.exe	240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
File created	C:\Windows\ntsock.exe	ntboot.bin

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
6088	3916	WerFault.exe
7540	5724	WerFault.exe
6112	2376	WerFault.exe	108
5716	4500	WerFault.exe
2964	3740	WerFault.exe
5428	3916	WerFault.exe	156
9376	7816	WerFault.exe	240
12436	3824	WerFault.exe	158
9648	7816	WerFault.exe	240
5572	10024	WerFault.exe
14236	1108	WerFault.exe	613
13628	9944	WerFault.exe	533
3396	10468	WerFault.exe	569
15304	13948	WerFault.exe	642
15380	15104	WerFault.exe	729
9948	7816	Process not Found	240
6716	7816	Process not Found	240
10016	15104	Process not Found	729
13696	6824	Process not Found	502

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-prr9raygpm_4d6281b866aeaf5b5c58f3fe792e2b9ff4a022b449a48e2b417fb045a353dbcaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgcpokp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbpajgmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccbadp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmhand32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikpjbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chglab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pnl9bsybjf_19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljobpiql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjichj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjkblhfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntsock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpfqcln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idkkpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkipgpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqfngd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefjii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coknoaic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdobnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gphphj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcmbee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejalcgkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlimed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcqjon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elnoopdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbaonae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djelgied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndeii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pxtd1azbkm_eb5b89ca20208c3ef69d8b6990f4a02b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embddb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hienlpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgiimng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raschap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkadfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnpabe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbcfbjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlambk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkdgchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkalplel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgqfdnah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pm286ayeqp_eb54f091b05a95511601e2f9f9771bae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcikgacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqndhcdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmdecbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omegjomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adndoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnqpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllkqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eleepoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgjndno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omegjomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnfpcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgacokc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkoigdom.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcejco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maggnali.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklbdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgninn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll"	Onpjichj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll"	Bnkbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll"	Jjgchm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdigadjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll"	Gdaociml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll"	Kcejco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjfngdm.dll"	Jlhljhbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coknoaic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hienlpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll"	Jcikgacl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll"	Kkconn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bochmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhbcfbjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	240919-pr3eqaygrk_b334bb664f4fd751d66b03f528e16746b25e6799f8dd25605689c1542e9ca1f6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fffhifdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdlffhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll"	Pefabkej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll"	Coknoaic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmhand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiohdo32.dll"	Gdobnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlhljhbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqndhcdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onpjichj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebjdgmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfjcdon.dll"	Aoabad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjohde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbeapmll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eifhdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aleckinj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambahc32.dll"	Bopocbcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiocibf.dll"	Kqfngd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	dsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anaomkdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adkgje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aknifq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmiclo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcmbee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aknifq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdigadjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omegjomb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll"	Gpecbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipflihfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkalplel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgjal32.dll"	Albpkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonoao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdkaadn.dll"	Cbeapmll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll"	240919-pjxt9sydnp_5da41272d55eff3d99d9ab4586f6572a02e0e5ef35c0bbf3bef2dfa06949121bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnlbojee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgqfdnah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmaffnce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndeii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmmbbejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll"	Fjmkoeqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfgjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpdhkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Maggnali.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgaokl32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7544	schtasks.exe
13372	schtasks.exe
13928	schtasks.exe
13472	schtasks.exe
13916	schtasks.exe
13764	schtasks.exe
9872	schtasks.exe
6248	schtasks.exe
18648	schtasks.exe
18596	schtasks.exe
3536	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	216	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
2376	tazebama.dl_
2376	tazebama.dl_
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
8084	raschap.exe
8084	raschap.exe
8084	raschap.exe
788	fvecerts.exe
788	fvecerts.exe
8616	ntsock.exe
8616	ntsock.exe
8616	ntsock.exe
8616	ntsock.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
5816	240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
4932	240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
4932	240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
3824	240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
3824	240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
3084	240919-prnxbsygpl_8ecf30082527af945cc7df7dd2567a0838e611177a6f94bfa9ceb768e1b3cd15N.exe
4620	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
5508	240919-pm286ayeqp_eb54f091b05a95511601e2f9f9771bae_JaffaCakes118.exe
6460	vbc.exe
5176	240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
7776	Rundll32.exe
6056	dsh.exe
8084	raschap.exe
8084	raschap.exe
8124	ntboot.bin
8124	ntboot.bin
8616	ntsock.exe
8616	ntsock.exe
8616	ntsock.exe
8616	ntsock.exe
7840	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
7840	240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 236	3004	magic.exe	79
PID 3004 wrote to memory of 236	3004	magic.exe	79
PID 236 wrote to memory of 5108	236	magic.exe	80
PID 236 wrote to memory of 5108	236	magic.exe	80
PID 236 wrote to memory of 2376	236	magic.exe	81
PID 236 wrote to memory of 2376	236	magic.exe	81
PID 236 wrote to memory of 2104	236	magic.exe	82
PID 236 wrote to memory of 2104	236	magic.exe	82
PID 236 wrote to memory of 2104	236	magic.exe	82
PID 236 wrote to memory of 2084	236	magic.exe	83
PID 236 wrote to memory of 2084	236	magic.exe	83
PID 236 wrote to memory of 2084	236	magic.exe	83
PID 2104 wrote to memory of 3448	2104	240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe	84
PID 2104 wrote to memory of 3448	2104	240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe	84
PID 2104 wrote to memory of 3448	2104	240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe	84
PID 2084 wrote to memory of 1500	2084	240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe	85
PID 2084 wrote to memory of 1500	2084	240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe	85
PID 2084 wrote to memory of 1500	2084	240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe	85
PID 1500 wrote to memory of 4152	1500	Alnmjjdb.exe	86
PID 1500 wrote to memory of 4152	1500	Alnmjjdb.exe	86
PID 1500 wrote to memory of 4152	1500	Alnmjjdb.exe	86
PID 4152 wrote to memory of 2164	4152	Achegd32.exe	87
PID 4152 wrote to memory of 2164	4152	Achegd32.exe	87
PID 4152 wrote to memory of 2164	4152	Achegd32.exe	87
PID 236 wrote to memory of 2108	236	magic.exe	88
PID 236 wrote to memory of 2108	236	magic.exe	88
PID 236 wrote to memory of 2108	236	magic.exe	88
PID 2164 wrote to memory of 2532	2164	Afgacokc.exe	89
PID 2164 wrote to memory of 2532	2164	Afgacokc.exe	89
PID 2164 wrote to memory of 2532	2164	Afgacokc.exe	89
PID 2532 wrote to memory of 4616	2532	Alqjpi32.exe	90
PID 2532 wrote to memory of 4616	2532	Alqjpi32.exe	90
PID 2532 wrote to memory of 4616	2532	Alqjpi32.exe	90
PID 236 wrote to memory of 4856	236	magic.exe	91
PID 236 wrote to memory of 4856	236	magic.exe	91
PID 236 wrote to memory of 4856	236	magic.exe	91
PID 4616 wrote to memory of 3904	4616	Ajdjin32.exe	92
PID 4616 wrote to memory of 3904	4616	Ajdjin32.exe	92
PID 4616 wrote to memory of 3904	4616	Ajdjin32.exe	92
PID 236 wrote to memory of 4500	236	magic.exe	93
PID 236 wrote to memory of 4500	236	magic.exe	93
PID 236 wrote to memory of 4500	236	magic.exe	93
PID 236 wrote to memory of 3740	236	magic.exe	94
PID 236 wrote to memory of 3740	236	magic.exe	94
PID 4856 wrote to memory of 4652	4856	240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe	1874
PID 4856 wrote to memory of 4652	4856	240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe	1874
PID 4856 wrote to memory of 4652	4856	240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe	1874
PID 3904 wrote to memory of 1744	3904	Alcfei32.exe	96
PID 3904 wrote to memory of 1744	3904	Alcfei32.exe	96
PID 3904 wrote to memory of 1744	3904	Alcfei32.exe	96
PID 4652 wrote to memory of 4476	4652	Aoabad32.exe	1583
PID 4652 wrote to memory of 4476	4652	Aoabad32.exe	1583
PID 4652 wrote to memory of 4476	4652	Aoabad32.exe	1583
PID 236 wrote to memory of 4872	236	magic.exe	99
PID 236 wrote to memory of 4872	236	magic.exe	99
PID 236 wrote to memory of 4872	236	magic.exe	99
PID 1744 wrote to memory of 2472	1744	Abponp32.exe	100
PID 1744 wrote to memory of 2472	1744	Abponp32.exe	100
PID 1744 wrote to memory of 2472	1744	Abponp32.exe	100
PID 2472 wrote to memory of 244	2472	Blhpqhlh.exe	101
PID 2472 wrote to memory of 244	2472	Blhpqhlh.exe	101
PID 2472 wrote to memory of 244	2472	Blhpqhlh.exe	101
PID 4872 wrote to memory of 2528	4872	240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe	102
PID 4872 wrote to memory of 2528	4872	240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe	102

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:824

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:828

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:472

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\magic.exe
  "C:\Users\Admin\AppData\Local\Temp\magic.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\magic.exe
    "C:\Users\Admin\AppData\Local\Temp\magic.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2376
  - - C:\Users\Admin\Downloads\240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe
      C:\Users\Admin\Downloads\240919-px46hayfmc_c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
  - - C:\Users\Admin\Downloads\240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe
      C:\Users\Admin\Downloads\240919-pycgwayfnc_613f4789a7d0fe032c43bf56ef351e750a13bf5ccdf9f9064822839a7a8f14ecN.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Alqjpi32.exe
        
        C:\Windows\system32\Alqjpi32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Abponp32.exe
        
        C:\Windows\system32\Abponp32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Blhpqhlh.exe
        
        C:\Windows\system32\Blhpqhlh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Bkmmaeap.exe
        
        C:\Windows\system32\Bkmmaeap.exe
        13⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Cbeapmll.exe
        
        C:\Windows\system32\Cbeapmll.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Dcnqpo32.exe
        
        C:\Windows\system32\Dcnqpo32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        21⤵
        Executes dropped EXE
        
        PID:5652
        
        C:\Windows\SysWOW64\Eidlnd32.exe
        
        C:\Windows\system32\Eidlnd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Iknmla32.exe
        
        C:\Windows\system32\Iknmla32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1608
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7708
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        27⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        29⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7980
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        31⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:8912
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        33⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8180
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        35⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9264
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        36⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9668
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        37⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        38⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        39⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        40⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        41⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        42⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        43⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        44⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        45⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        46⤵
        
        PID:12464
  - - C:\Users\Admin\Downloads\240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pxpe2szbjr_eb5b7b6899b853b5903830697ff86ace_JaffaCakes118.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2108
  - - C:\Users\Admin\Downloads\240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe
      C:\Users\Admin\Downloads\240919-ptc8lsyhmp_6bfda052f5e26b18303ca3f9b8724f3a565bb769fdef657907a216fb1f930532N.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Aoabad32.exe
        
        C:\Windows\system32\Aoabad32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ckilmcgb.exe
        
        C:\Windows\system32\Ckilmcgb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        10⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Windows\SysWOW64\Dkbocbog.exe
        
        C:\Windows\system32\Dkbocbog.exe
        11⤵
        Executes dropped EXE
        
        PID:5804
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Dfoiaj32.exe
        
        C:\Windows\system32\Dfoiaj32.exe
        13⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        16⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Ikbfgppo.exe
        
        C:\Windows\system32\Ikbfgppo.exe
        18⤵
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        20⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7156
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        21⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        23⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8792
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7656
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        26⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        27⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        28⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        29⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        30⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        31⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        32⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        33⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        34⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        35⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        36⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        37⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        38⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        39⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        40⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        41⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        42⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        43⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        44⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        45⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        46⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        47⤵
        
        PID:13592
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        48⤵
        
        PID:14208
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        49⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        50⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        51⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        52⤵
        
        PID:15312
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        53⤵
        
        PID:16068
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        54⤵
        
        PID:18832
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        55⤵
        
        PID:19572
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        56⤵
        
        PID:19200
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        57⤵
        
        PID:20368
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        58⤵
        
        PID:21404
  - - C:\Users\Admin\Downloads\240919-prn74aycpb_eb57ee819c3e9840314784fb48e53c74_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-prn74aycpb_eb57ee819c3e9840314784fb48e53c74_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 348
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:5716
  - - C:\Users\Admin\Downloads\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp
      C:\Users\Admin\Downloads\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp
      4⤵
      Executes dropped EXE
      PID:3740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 8
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2964
  - - C:\Users\Admin\Downloads\240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe
      C:\Users\Admin\Downloads\240919-p3cnfazdkk_c9451319c5573e54454fb409a59f138161fcdaad4cf40df19d5a7e17f59b3353N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\SysWOW64\Bbgeno32.exe
        
        C:\Windows\system32\Bbgeno32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2528
      - C:\Windows\SysWOW64\Bfendmoc.exe
        
        C:\Windows\system32\Bfendmoc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
  - - C:\Users\Admin\Downloads\240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pynvxayfpc_eb5c5395b89a24626340ac864e56e6ce_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1112
    - - C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Enumerates connected drives
        Drops autorun.inf file
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 872
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:6112
  - - C:\Users\Admin\Downloads\240919-pjqqysydnj_eb52a85af6c9d34ae4faa120e2ca0b40_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pjqqysydnj_eb52a85af6c9d34ae4faa120e2ca0b40_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      PID:4220
  - - C:\Users\Admin\Downloads\240919-p2x8rayhkc_0db31fe824a882de227a91563095589554d7bc53393b50d3e6f323d6ad4261d3N.exe
      C:\Users\Admin\Downloads\240919-p2x8rayhkc_0db31fe824a882de227a91563095589554d7bc53393b50d3e6f323d6ad4261d3N.exe
      4⤵
      Executes dropped EXE
      PID:4468
    - - C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        5⤵
        Executes dropped EXE
        
        PID:1080
      - C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Cmmbbejp.exe
        
        C:\Windows\system32\Cmmbbejp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        9⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        10⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        14⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        15⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        16⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        17⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Odhifjkg.exe
        
        C:\Windows\system32\Odhifjkg.exe
        18⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7736
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        21⤵
        Modifies registry class
        
        PID:8828
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        23⤵
        Drops file in System32 directory
        
        PID:9504
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        24⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        25⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        26⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        27⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        28⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        29⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        30⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        31⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        32⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        33⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        34⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        35⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        36⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        37⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        38⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        39⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10024 -s 408
        40⤵
        Program crash
        
        PID:5572
  - - C:\Users\Admin\Downloads\240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pqwwjsyclf_eb5750de6eccda96659216821bc7b7cc_JaffaCakes118.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5816
  - - C:\Users\Admin\Downloads\240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-prg4saycnf_eb57bc34b923b43ab02a7fca45fe2c5d_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4932
    - - C:\Windows\SysWOW64\netapi32\raschap.exe
        
        "C:\Windows\SysWOW64\netapi32\raschap.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:8084
  - - C:\Users\Admin\Downloads\240919-pxkrvsyfka_2832-6-0x0000000000400000-0x000000000044A000-memory.dmp
      C:\Users\Admin\Downloads\240919-pxkrvsyfka_2832-6-0x0000000000400000-0x000000000044A000-memory.dmp
      4⤵
      Executes dropped EXE
      PID:5724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 8
        5⤵
        Program crash
        
        PID:7540
  - - C:\Users\Admin\Downloads\240919-pt4essydrd_d00a6cfc8751292697cf37afee755de814ef6ecbdf8c71648e638f03afa13381N.exe
      C:\Users\Admin\Downloads\240919-pt4essydrd_d00a6cfc8751292697cf37afee755de814ef6ecbdf8c71648e638f03afa13381N.exe
      4⤵
      Executes dropped EXE
      PID:6128
    - - C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        5⤵
        
        PID:6196
      - C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        6⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        8⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Jpfepf32.exe
        
        C:\Windows\system32\Jpfepf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Kdkdgchl.exe
        
        C:\Windows\system32\Kdkdgchl.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        12⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Maggnali.exe
        
        C:\Windows\system32\Maggnali.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        14⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        15⤵
        Drops file in System32 directory
        
        PID:8760
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        16⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8340
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        18⤵
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        19⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        20⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        21⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        22⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        23⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        24⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        25⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        26⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        27⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        28⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        29⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        30⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        31⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        32⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        33⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        34⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        35⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        36⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        37⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        38⤵
        
        PID:9316
  - - C:\Users\Admin\Downloads\240919-prcjasygnj_5e2395dce1bb61098d55c6df2541071ca8f8c825b5aa9ce3b8afabcdeff4c504N.exe
      C:\Users\Admin\Downloads\240919-prcjasygnj_5e2395dce1bb61098d55c6df2541071ca8f8c825b5aa9ce3b8afabcdeff4c504N.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:248
    - - C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe
        5⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:6460
  - - C:\Users\Admin\Downloads\240919-ps5lgaydmh_eb58d8799071c166971828940bdf87dc_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-ps5lgaydmh_eb58d8799071c166971828940bdf87dc_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4104
    - - C:\Windows\SysWOW64\opengl32\fvecerts.exe
        
        "C:\Windows\SysWOW64\opengl32\fvecerts.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
  - - C:\Users\Admin\Downloads\240919-pyhc5azbnl_806cd24fa66b07ec7bc6deda153a3b155938cd4e88bbdd5ce59f18e7936d751dN.exe
      C:\Users\Admin\Downloads\240919-pyhc5azbnl_806cd24fa66b07ec7bc6deda153a3b155938cd4e88bbdd5ce59f18e7936d751dN.exe
      4⤵
      Executes dropped EXE
      PID:4528
    - - C:\Windows\SysWOW64\Fllkqn32.exe
        
        C:\Windows\system32\Fllkqn32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6272
      - C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        6⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7636
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Kcejco32.exe
        
        C:\Windows\system32\Kcejco32.exe
        10⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        12⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7472
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8688
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        16⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        17⤵
        Modifies registry class
        
        PID:8552
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        18⤵
        
        PID:9372
  - - C:\Users\Admin\Downloads\240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pyzbmszbqk_eb5c919afd904cf62615161c2c83720f_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:5280
    - - \??\c:\Windows\svchest425075242507520.exe
        
        c:\Windows\svchest425075242507520.exe
        5⤵
        
        PID:7860
  - - C:\Users\Admin\Downloads\240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
      C:\Users\Admin\Downloads\240919-pzvd3sygka_35fec8ebef2fe5d3fb932f4be938eb0937e2b278337218baf7c7155190f6f62cN.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:5296
    - - C:\Windows\services.exe
        
        "C:\Windows\services.exe"
        5⤵
        Adds Run key to start application
        
        PID:6300
  - - C:\Users\Admin\Downloads\240919-prnxbsygpl_8ecf30082527af945cc7df7dd2567a0838e611177a6f94bfa9ceb768e1b3cd15N.exe
      C:\Users\Admin\Downloads\240919-prnxbsygpl_8ecf30082527af945cc7df7dd2567a0838e611177a6f94bfa9ceb768e1b3cd15N.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3084
  - - C:\Users\Admin\Downloads\240919-pqzx7sycmb_eb5761c410b5139f23235e9b67964495_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pqzx7sycmb_eb5761c410b5139f23235e9b67964495_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:544
    - - C:\Users\Admin\AppData\Local\Temp\temp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp.exe"
        5⤵
        
        PID:11680
  - - C:\Users\Admin\Downloads\240919-pr3eqaygrk_b334bb664f4fd751d66b03f528e16746b25e6799f8dd25605689c1542e9ca1f6N.exe
      C:\Users\Admin\Downloads\240919-pr3eqaygrk_b334bb664f4fd751d66b03f528e16746b25e6799f8dd25605689c1542e9ca1f6N.exe
      4⤵
      Modifies registry class
      PID:228
    - - C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        5⤵
        Modifies registry class
        
        PID:6364
      - C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        6⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        7⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7236
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        9⤵
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        10⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8904
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        12⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8600
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        14⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        15⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        16⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        17⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        18⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        19⤵
        
        PID:10492
  - - C:\Users\Admin\Downloads\240919-pxtd1azbkm_eb5b89ca20208c3ef69d8b6990f4a02b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pxtd1azbkm_eb5b89ca20208c3ef69d8b6990f4a02b_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
  - - C:\Users\Admin\Downloads\240919-ptx8saydra_8aea267d26fa51fc94d8ac61f063cd6c9a9e83dcfd068c6518d5bca4289dd471.exe
      C:\Users\Admin\Downloads\240919-ptx8saydra_8aea267d26fa51fc94d8ac61f063cd6c9a9e83dcfd068c6518d5bca4289dd471.exe
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 436
        5⤵
        Program crash
        
        PID:6088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 448
        5⤵
        Program crash
        
        PID:5428
  - - C:\Users\Admin\Downloads\240919-prr9raygpm_4d6281b866aeaf5b5c58f3fe792e2b9ff4a022b449a48e2b417fb045a353dbcaN.exe
      C:\Users\Admin\Downloads\240919-prr9raygpm_4d6281b866aeaf5b5c58f3fe792e2b9ff4a022b449a48e2b417fb045a353dbcaN.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1836
    - - C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        5⤵
        
        PID:6848
      - C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        7⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7328
        
        C:\Windows\SysWOW64\Kkpbin32.exe
        
        C:\Windows\system32\Kkpbin32.exe
        9⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        11⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7172
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        13⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8584
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        15⤵
        
        PID:9056
  - - C:\Users\Admin\Downloads\240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pryrjaygqj_eb581de89b19fc1429482bc501a6b935_JaffaCakes118.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3824
    - - \??\c:\uboot.bin
        
        "c:\uboot.bin"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:6500
      - C:\Windows\SysWOW64\Rundll32.exe
        
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\uboot.dll,abcLaunchEv
        6⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:7776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del c:\uboot.bin > nul
        6⤵
        
        PID:7792
    - - \??\c:\ntboot.bin
        
        "c:\ntboot.bin"
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:8124
      - C:\Windows\ntsock.exe
        
        "C:\Windows\ntsock.exe"
        6⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:8616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del c:\ntboot.bin > nul
        6⤵
        
        PID:8628
    - - C:\Windows\ntsys.exe
        
        "C:\Windows\ntsys.exe"
        5⤵
        
        PID:12420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 584
        5⤵
        Program crash
        
        PID:12436
  - - C:\Users\Admin\Downloads\240919-ptljzsyhnq_a2e81419ead7bab7d3eb56ba49aa57fbc2607d56565483c6323e977a0468d6a8.exe
      C:\Users\Admin\Downloads\240919-ptljzsyhnq_a2e81419ead7bab7d3eb56ba49aa57fbc2607d56565483c6323e977a0468d6a8.exe
      4⤵
      PID:1980
  - - C:\Users\Admin\Downloads\240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe
      C:\Users\Admin\Downloads\240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:4824
    - - C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6420
      - C:\Windows\SysWOW64\Gdobnj32.exe
        
        C:\Windows\system32\Gdobnj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Hdhedh32.exe
        
        C:\Windows\system32\Hdhedh32.exe
        7⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        9⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        10⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        11⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        12⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        13⤵
        
        PID:8960
  - - C:\Users\Admin\Downloads\240919-pnl9bsybjf_19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
      C:\Users\Admin\Downloads\240919-pnl9bsybjf_19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
    - - C:\Users\Admin\Downloads\240919-pnl9bsybjf_19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
        
        C:\Users\Admin\Downloads\240919-pnl9bsybjf_19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
        5⤵
        
        PID:6824
  - - C:\Users\Admin\Downloads\240919-pmpm3ayanh_6de62e421f9a46f1c1576bdd3ea88a71599957ecdbf52b393c8a68d258bd871bN.exe
      C:\Users\Admin\Downloads\240919-pmpm3ayanh_6de62e421f9a46f1c1576bdd3ea88a71599957ecdbf52b393c8a68d258bd871bN.exe
      4⤵
      PID:4400
  - - C:\Users\Admin\Downloads\240919-pzqe5azckl_1732-3-0x0000000000400000-0x0000000000442000-memory.dmp
      C:\Users\Admin\Downloads\240919-pzqe5azckl_1732-3-0x0000000000400000-0x0000000000442000-memory.dmp
      4⤵
      PID:5568
  - - C:\Users\Admin\Downloads\240919-p3spnazdlq_2260-7-0x0000000000400000-0x0000000000426000-memory.dmp
      C:\Users\Admin\Downloads\240919-p3spnazdlq_2260-7-0x0000000000400000-0x0000000000426000-memory.dmp
      4⤵
      PID:5500
  - - C:\Users\Admin\Downloads\240919-pm286ayeqp_eb54f091b05a95511601e2f9f9771bae_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pm286ayeqp_eb54f091b05a95511601e2f9f9771bae_JaffaCakes118.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5508
    - - C:\Windows\SysWOW64\mspeupx.exe
        
        C:\Windows\system32\mspeupx.exe
        5⤵
        
        PID:6040
    - - C:\Windows\SysWOW64\netpass.exe
        
        C:\Windows\system32\netpass.exe
        5⤵
        
        PID:7176
  - - C:\Users\Admin\Downloads\240919-pjxt9sydnp_5da41272d55eff3d99d9ab4586f6572a02e0e5ef35c0bbf3bef2dfa06949121bN.exe
      C:\Users\Admin\Downloads\240919-pjxt9sydnp_5da41272d55eff3d99d9ab4586f6572a02e0e5ef35c0bbf3bef2dfa06949121bN.exe
      4⤵
      Modifies registry class
      PID:5144
    - - C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        5⤵
        Modifies registry class
        
        PID:6492
      - C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        6⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        10⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        11⤵
        Drops file in System32 directory
        
        PID:8232
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9048
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        13⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        14⤵
        Drops file in System32 directory
        
        PID:8868
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8480
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        16⤵
        Drops file in System32 directory
        
        PID:9540
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        17⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        18⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        19⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        20⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        21⤵
        
        PID:7968
  - - C:\Users\Admin\Downloads\240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Loads dropped DLL
      Modifies system executable filetype association
      Suspicious use of SetWindowsHookEx
      PID:5176
    - - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsh.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\dsh.exe" 240919-pvzs1azamq_eb5a490a775a99d7859fbb486d518740_JaffaCakes118
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Modifies system executable filetype association
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:6056
  - - C:\Users\Admin\Downloads\240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
      C:\Users\Admin\Downloads\240919-pqmmwayckc_5306f0823fad7858bdc518ece0ac66f72b41a6f49b3112c38d196be1f6d36894N.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4620
    - - C:\backup.exe
        
        C:\backup.exe C:\
        5⤵
        
        PID:12084
      - C:\PerfLogs\backup.exe
        
        C:\PerfLogs\backup.exe C:\PerfLogs\
        6⤵
        
        PID:7700
      - C:\Program Files\backup.exe
        
        "C:\Program Files\backup.exe" C:\Program Files\
        6⤵
        
        PID:11604
        
        C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        7⤵
        
        PID:8272
        
        C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        8⤵
        
        PID:9548
        
        C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        7⤵
        
        PID:11228
        
        C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        8⤵
        
        PID:12996
        
        C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        8⤵
        
        PID:10660
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        9⤵
        
        PID:12808
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        9⤵
        
        PID:7556
  - - C:\Users\Admin\Downloads\240919-pte27syhmr_41eeb0d9d9dc541a94a91971823e382209dd24490911f8ab5fc09cc929578a83N.exe
      C:\Users\Admin\Downloads\240919-pte27syhmr_41eeb0d9d9dc541a94a91971823e382209dd24490911f8ab5fc09cc929578a83N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:5272
    - - C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
      - C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7416
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        7⤵
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        8⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        9⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        10⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        11⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        12⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        13⤵
        Drops file in System32 directory
        
        PID:8492
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8960
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:8316
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        16⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        17⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        18⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        19⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        20⤵
        
        PID:10996
  - - C:\Users\Admin\Downloads\240919-pwr5jsyepe_0e8e3f6c88ec43a5ffc8603e3c0961ecff94fb7224ea0914893155a90f0fb968N.exe
      C:\Users\Admin\Downloads\240919-pwr5jsyepe_0e8e3f6c88ec43a5ffc8603e3c0961ecff94fb7224ea0914893155a90f0fb968N.exe
      4⤵
      PID:5548
    - - C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        5⤵
        
        PID:7020
      - C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        7⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        8⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8132
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        12⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8300
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9112
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        15⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        16⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        17⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        18⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:9580
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        20⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        21⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        22⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        23⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        24⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        25⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        26⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        27⤵
        
        PID:12584
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        28⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        29⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        30⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        31⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        32⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        33⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        34⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        35⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        36⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        37⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        38⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        39⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        40⤵
        
        PID:14116
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        41⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        42⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        43⤵
        
        PID:13868
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        44⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        45⤵
        
        PID:15264
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        46⤵
        
        PID:16024
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        47⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        48⤵
        
        PID:18916
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        49⤵
        
        PID:19616
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        50⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        51⤵
        
        PID:17032
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        52⤵
        
        PID:21484
  - - C:\Users\Admin\Downloads\240919-pnhk5syfkl_KZ710-0038.exe
      C:\Users\Admin\Downloads\240919-pnhk5syfkl_KZ710-0038.exe
      4⤵
      Loads dropped DLL
      PID:5516
  - - C:\Users\Admin\Downloads\240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
      C:\Users\Admin\Downloads\240919-psq33sydlf_1630f55ec7f51e877e7a317af55912e8546312bd154e076e3462f32387f95a16N.exe
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        5⤵
        Adds Run key to start application
        
        PID:7040
  - - C:\Users\Admin\Downloads\240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN.exe
      C:\Users\Admin\Downloads\240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN.exe
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        5⤵
        
        PID:6540
      - C:\Windows\SysWOW64\Hginecde.exe
        
        C:\Windows\system32\Hginecde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        7⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Jnhidk32.exe
        
        C:\Windows\system32\Jnhidk32.exe
        8⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8184
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7312
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        13⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        14⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        15⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8404
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        16⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        17⤵
        Modifies registry class
        
        PID:9300
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        18⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9704
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        19⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        20⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        21⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        22⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        23⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        24⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        25⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        26⤵
        
        PID:13020
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        27⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        28⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        29⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        30⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        31⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        32⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        33⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        34⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        35⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        36⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        37⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        38⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        39⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        40⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        41⤵
        
        PID:14040
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        42⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        43⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        44⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        45⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        46⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        47⤵
        
        PID:13612
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        48⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        49⤵
        
        PID:15184
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        50⤵
        
        PID:16140
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        51⤵
        
        PID:15180
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        52⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        53⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        54⤵
        
        PID:19004
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        55⤵
        
        PID:19684
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        56⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        57⤵
        
        PID:18772
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        58⤵
        
        PID:18120
  - - C:\Users\Admin\Downloads\240919-pts9tsydqe_eb596018e9b4a40957408c5eb799c5e4_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pts9tsydqe_eb596018e9b4a40957408c5eb799c5e4_JaffaCakes118.exe
      4⤵
      PID:5184
  - - C:\Users\Admin\Downloads\240919-px1hbazblk_0e75ee9ef94eeb429fcb8a5ecb456dcfc259ae6de4ea7a034c41d8abc2305581N.exe
      C:\Users\Admin\Downloads\240919-px1hbazblk_0e75ee9ef94eeb429fcb8a5ecb456dcfc259ae6de4ea7a034c41d8abc2305581N.exe
      4⤵
      PID:6632
    - - C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7136
      - C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        7⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7752
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7324
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        12⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        13⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        14⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        15⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8860
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        16⤵
        Drops file in System32 directory
        
        PID:8472
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        17⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        18⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        19⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        20⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        21⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        22⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        23⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        24⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        25⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        26⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        27⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        28⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        29⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        30⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        31⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        32⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        33⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        34⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        35⤵
        
        PID:13124
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        36⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        37⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        38⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        39⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        40⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        41⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        42⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        43⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        44⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        45⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        46⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        47⤵
        
        PID:13732
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        48⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        49⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        50⤵
        
        PID:14156
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        51⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        52⤵
        
        PID:15996
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        53⤵
        
        PID:17488
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        54⤵
        
        PID:19072
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        55⤵
        
        PID:19876
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        56⤵
        
        PID:17824
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        57⤵
        
        PID:20672
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        58⤵
        
        PID:2116
  - - C:\Users\Admin\Downloads\240919-pncpwsyfjk_documents-pdf.exe
      C:\Users\Admin\Downloads\240919-pncpwsyfjk_documents-pdf.exe
      4⤵
      Adds Run key to start application
      PID:7816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 1212
        5⤵
        Program crash
        
        PID:9376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 1232
        5⤵
        Program crash
        
        PID:9648
  - - C:\Users\Admin\Downloads\240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pzkvmsygja_eb5cf6d6717307d5eaa965b807a9e240_JaffaCakes118.exe
      4⤵
      Modifies WinLogon for persistence
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:7840
  - - C:\Users\Admin\Downloads\240919-plsnbsyelk_7b0e47726c40512f6700fd5bd3ecc1762eb5c2d6716122a77ee1e1727d259d14N.exe
      C:\Users\Admin\Downloads\240919-plsnbsyelk_7b0e47726c40512f6700fd5bd3ecc1762eb5c2d6716122a77ee1e1727d259d14N.exe
      4⤵
      PID:9944
    - - \??\c:\7fflllx.exe
        
        c:\7fflllx.exe
        5⤵
        
        PID:5812
      - \??\c:\5xrlrll.exe
        
        c:\5xrlrll.exe
        6⤵
        
        PID:11032
        
        \??\c:\vvppp.exe
        
        c:\vvppp.exe
        7⤵
        
        PID:4488
        
        \??\c:\1frrxff.exe
        
        c:\1frrxff.exe
        8⤵
        
        PID:10336
        
        \??\c:\jvpjj.exe
        
        c:\jvpjj.exe
        9⤵
        
        PID:11488
        
        \??\c:\7ffxxff.exe
        
        c:\7ffxxff.exe
        10⤵
        
        PID:11872
        
        \??\c:\hntttt.exe
        
        c:\hntttt.exe
        11⤵
        
        PID:6120
        
        \??\c:\pdjjd.exe
        
        c:\pdjjd.exe
        12⤵
        
        PID:12504
        
        \??\c:\5pvpj.exe
        
        c:\5pvpj.exe
        13⤵
        
        PID:13132
        
        \??\c:\ttnnnn.exe
        
        c:\ttnnnn.exe
        14⤵
        
        PID:8700
        
        \??\c:\9rfffff.exe
        
        c:\9rfffff.exe
        15⤵
        
        PID:7688
        
        \??\c:\llllfff.exe
        
        c:\llllfff.exe
        16⤵
        
        PID:6800
        
        \??\c:\thhnbb.exe
        
        c:\thhnbb.exe
        17⤵
        
        PID:12352
        
        \??\c:\rxxrlll.exe
        
        c:\rxxrlll.exe
        18⤵
        
        PID:7212
        
        \??\c:\xllrxff.exe
        
        c:\xllrxff.exe
        19⤵
        
        PID:12552
        
        \??\c:\tbhhnt.exe
        
        c:\tbhhnt.exe
        20⤵
        
        PID:9788
        
        \??\c:\bbhhbh.exe
        
        c:\bbhhbh.exe
        21⤵
        
        PID:13160
        
        \??\c:\pdjvd.exe
        
        c:\pdjvd.exe
        22⤵
        
        PID:9672
        
        \??\c:\rxffxxx.exe
        
        c:\rxffxxx.exe
        23⤵
        
        PID:12360
        
        \??\c:\vjppp.exe
        
        c:\vjppp.exe
        24⤵
        
        PID:11940
        
        \??\c:\nthhnn.exe
        
        c:\nthhnn.exe
        25⤵
        
        PID:13048
  - - C:\Users\Admin\Downloads\240919-pn2zsaybmb_eb55a8a4624c28cf4a2f2a7d762fdd8e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pn2zsaybmb_eb55a8a4624c28cf4a2f2a7d762fdd8e_JaffaCakes118.exe
      4⤵
      PID:10372
    - - C:\Users\Admin\Downloads\240919-pn2zsaybmb_eb55a8a4624c28cf4a2f2a7d762fdd8e_JaffaCakes118.exe
        
        "C:\Users\Admin\Downloads\240919-pn2zsaybmb_eb55a8a4624c28cf4a2f2a7d762fdd8e_JaffaCakes118.exe"
        5⤵
        
        PID:10288
  - - C:\Users\Admin\Downloads\240919-px7avszbmk_RustAnticheat.exe
      C:\Users\Admin\Downloads\240919-px7avszbmk_RustAnticheat.exe
      4⤵
      PID:8796
    - - C:\Users\Admin\RuntimeBroker.exe
        
        "C:\Users\Admin\RuntimeBroker.exe"
        5⤵
        
        PID:11572
    - - C:\Users\Admin\RustAntich1eat.exe
        
        "C:\Users\Admin\RustAntich1eat.exe"
        5⤵
        
        PID:6628
    - - C:\Users\Admin\Umbral.exe
        
        "C:\Users\Admin\Umbral.exe"
        5⤵
        
        PID:5116
  - - C:\Users\Admin\Downloads\240919-pnb4csyaqe_AWB_Ref#339720937705pdf.exe
      C:\Users\Admin\Downloads\240919-pnb4csyaqe_AWB_Ref#339720937705pdf.exe
      4⤵
      PID:11400
  - - C:\Users\Admin\Downloads\240919-pr1acsygql_ce02184d0d3c906e141508a5b94069cd84a2d361abb0fba9b4c1dadf64fe9d2dN.exe
      C:\Users\Admin\Downloads\240919-pr1acsygql_ce02184d0d3c906e141508a5b94069cd84a2d361abb0fba9b4c1dadf64fe9d2dN.exe
      4⤵
      PID:12608
    - - C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        5⤵
        
        PID:13264
      - C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        6⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        7⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        8⤵
        
        PID:12832
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        10⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        11⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        12⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        13⤵
        
        PID:13028
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        14⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        15⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        16⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        17⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        18⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        19⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        20⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        21⤵
        
        PID:13768
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        22⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        23⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        24⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        25⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        26⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        27⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        28⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        29⤵
        
        PID:16108
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        30⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        31⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        32⤵
        
        PID:18928
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        33⤵
        
        PID:19648
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        34⤵
        
        PID:17616
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        35⤵
        
        PID:18820
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        36⤵
        
        PID:22156
  - - C:\Users\Admin\Downloads\240919-pr49baycrh_906d63ab68e041593fb8b5fa3ceb09c50aafd486c85dadf8a74d007ba6288b80N.exe
      C:\Users\Admin\Downloads\240919-pr49baycrh_906d63ab68e041593fb8b5fa3ceb09c50aafd486c85dadf8a74d007ba6288b80N.exe
      4⤵
      PID:8508
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!
        5⤵
        
        PID:13280
  - - C:\Users\Admin\Downloads\240919-pk9v8ayejk_a7911b68254b2f30702a9bb1ba9f01afd684a5c7e63ab844a1963c554a7f5a10N.exe
      C:\Users\Admin\Downloads\240919-pk9v8ayejk_a7911b68254b2f30702a9bb1ba9f01afd684a5c7e63ab844a1963c554a7f5a10N.exe
      4⤵
      PID:9992
    - - C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        5⤵
        
        PID:12512
      - C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        6⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        7⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        8⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        9⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        10⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        11⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        12⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        13⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        14⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        15⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        16⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        17⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        18⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        19⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        20⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        21⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        22⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        23⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        24⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        25⤵
        
        PID:17372
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        26⤵
        
        PID:18164
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        27⤵
        
        PID:18616
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        28⤵
        
        PID:15948
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        29⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        30⤵
        
        PID:21188
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        31⤵
        
        PID:22200
  - - C:\Users\Admin\Downloads\240919-psckpayhjn_eb586fb27c1340840b93eada3a4e640d_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-psckpayhjn_eb586fb27c1340840b93eada3a4e640d_JaffaCakes118.exe
      4⤵
      PID:11644
  - - C:\Users\Admin\Downloads\240919-pzx5zaygkf_eb5d25e57d93a06a9b1fe1170d52ac35_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pzx5zaygkf_eb5d25e57d93a06a9b1fe1170d52ac35_JaffaCakes118.exe
      4⤵
      PID:11824
  - - C:\Users\Admin\Downloads\240919-pwlyjayenf_eb5abeeb0ee099d044f525b25da4920a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pwlyjayenf_eb5abeeb0ee099d044f525b25da4920a_JaffaCakes118.exe
      4⤵
      PID:11804
  - - C:\Users\Admin\Downloads\240919-pqv91sycle_538bb6188211c79735590592ee686a00e5d7e16e072673111ceb32c4d9511128.exe
      C:\Users\Admin\Downloads\240919-pqv91sycle_538bb6188211c79735590592ee686a00e5d7e16e072673111ceb32c4d9511128.exe
      4⤵
      PID:9944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9944 -s 1064
        5⤵
        Program crash
        
        PID:13628
  - - C:\Users\Admin\Downloads\240919-pnyx5ayblc_PO23100080 & Order Specs.exe
      "C:\Users\Admin\Downloads\240919-pnyx5ayblc_PO23100080 & Order Specs.exe"
      4⤵
      PID:8048
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\Downloads\240919-pnyx5ayblc_PO23100080 & Order Specs.exe"
        5⤵
        
        PID:7464
  - - C:\Users\Admin\Downloads\240919-pw3w2syeqh_639ea11e0c3ecdd5a47f03ed59e02d0a541121f27cde59306a57cffad09a72e0N.exe
      C:\Users\Admin\Downloads\240919-pw3w2syeqh_639ea11e0c3ecdd5a47f03ed59e02d0a541121f27cde59306a57cffad09a72e0N.exe
      4⤵
      PID:10920
    - - C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        5⤵
        
        PID:5312
      - C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        6⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        7⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        8⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        9⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        10⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        11⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        12⤵
        
        PID:13440
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        13⤵
        
        PID:13988
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        14⤵
        
        PID:16040
  - - C:\Users\Admin\Downloads\240919-pnrttaybkd_Ordine Request 09-24.exe
      "C:\Users\Admin\Downloads\240919-pnrttaybkd_Ordine Request 09-24.exe"
      4⤵
      PID:8312
  - - C:\Users\Admin\Downloads\240919-p2hhaszcqq_0d3e489345fcb6e2c7ed9a7c9171fe7d24f5eb22913bbeae5b88c3fe36854947N.exe
      C:\Users\Admin\Downloads\240919-p2hhaszcqq_0d3e489345fcb6e2c7ed9a7c9171fe7d24f5eb22913bbeae5b88c3fe36854947N.exe
      4⤵
      PID:10468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10468 -s 24616
        5⤵
        Program crash
        
        PID:3396
  - - C:\Users\Admin\Downloads\240919-pmlw6syepm_eb54a679cf165a645a9a977aa64ac623_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pmlw6syepm_eb54a679cf165a645a9a977aa64ac623_JaffaCakes118.exe
      4⤵
      PID:3144
  - - C:\Users\Admin\Downloads\240919-pk5lhaydrp_2d6293784902f18955d10dea1de8888e15757543346334397e15c2b9d5b98adbN.exe
      C:\Users\Admin\Downloads\240919-pk5lhaydrp_2d6293784902f18955d10dea1de8888e15757543346334397e15c2b9d5b98adbN.exe
      4⤵
      PID:12320
    - - C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        5⤵
        
        PID:1108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 428
        6⤵
        Program crash
        
        PID:14236
  - - C:\Users\Admin\Downloads\240919-pr49baycrg_eb583ccf1753294e7660d26e433fd6eb_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pr49baycrg_eb583ccf1753294e7660d26e433fd6eb_JaffaCakes118.exe
      4⤵
      PID:8140
  - - C:\Users\Admin\Downloads\240919-pjswbaydnk_61cee45a58d56be4750ee0ef1a81c0a31abd658cd41d6be52510a440f7dcfdfbN.exe
      C:\Users\Admin\Downloads\240919-pjswbaydnk_61cee45a58d56be4750ee0ef1a81c0a31abd658cd41d6be52510a440f7dcfdfbN.exe
      4⤵
      PID:7132
    - - C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        5⤵
        
        PID:13428
      - C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        6⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        7⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        8⤵
        
        PID:14296
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        9⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        10⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        11⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        12⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        13⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        14⤵
        
        PID:15964
  - - C:\Users\Admin\Downloads\240919-pllvsayajc_eaf872573f789a71ee88fb2c0d125675779acaafea9e764e0af4b262b869d209N.exe
      C:\Users\Admin\Downloads\240919-pllvsayajc_eaf872573f789a71ee88fb2c0d125675779acaafea9e764e0af4b262b869d209N.exe
      4⤵
      PID:13604
    - - C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        5⤵
        
        PID:13980
      - C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        6⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        7⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        8⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        9⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        10⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        11⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        12⤵
        
        PID:14056
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        13⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        14⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        15⤵
        
        PID:17052
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        16⤵
        
        PID:17600
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        17⤵
        
        PID:16096
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        18⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        19⤵
        
        PID:20252
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        20⤵
        
        PID:18428
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        21⤵
        
        PID:21052
  - - C:\Users\Admin\Downloads\240919-p1v21azcpl_3068-3-0x0000000000090000-0x00000000000DA000-memory.dmp
      C:\Users\Admin\Downloads\240919-p1v21azcpl_3068-3-0x0000000000090000-0x00000000000DA000-memory.dmp
      4⤵
      PID:13948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13948 -s 8
        5⤵
        Program crash
        
        PID:15304
  - - C:\Users\Admin\Downloads\240919-pp7awsygjp_l6E.exe
      C:\Users\Admin\Downloads\240919-pp7awsygjp_l6E.exe
      4⤵
      PID:4732
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:20044
  - - C:\Users\Admin\Downloads\240919-ptscjayhpm_eb595cc6a1c33055ae501957258ccc4c_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-ptscjayhpm_eb595cc6a1c33055ae501957258ccc4c_JaffaCakes118.exe
      4⤵
      PID:10444
  - - C:\Users\Admin\Downloads\240919-pvlw5szalj_PO-LIST.exe
      C:\Users\Admin\Downloads\240919-pvlw5szalj_PO-LIST.exe
      4⤵
      PID:14088
    - - C:\Users\Admin\AppData\Local\directory\name.exe
        
        C:\Users\Admin\Downloads\240919-pvlw5szalj_PO-LIST.exe
        5⤵
        
        PID:22096
  - - C:\Users\Admin\Downloads\240919-pnffsayfjn_FDS00000900000.exe
      C:\Users\Admin\Downloads\240919-pnffsayfjn_FDS00000900000.exe
      4⤵
      PID:12564
    - - C:\Users\Admin\AppData\Local\totted\sacculation.exe
        
        C:\Users\Admin\Downloads\240919-pnffsayfjn_FDS00000900000.exe
        5⤵
        
        PID:20780
  - - C:\Users\Admin\Downloads\240919-plnz5syekq_Trojan.Win64.CoinMiner-bf525f074f45084861de521cd654982b3f3ebcecef76194bce8a4bcd4f161ff7N
      C:\Users\Admin\Downloads\240919-plnz5syekq_Trojan.Win64.CoinMiner-bf525f074f45084861de521cd654982b3f3ebcecef76194bce8a4bcd4f161ff7N
      4⤵
      PID:14720
    - - C:\Windows\System\rLGysGa.exe
        
        C:\Windows\System\rLGysGa.exe
        5⤵
        
        PID:15204
    - - C:\Windows\System\iplKNQl.exe
        
        C:\Windows\System\iplKNQl.exe
        5⤵
        
        PID:12684
    - - C:\Windows\System\pySjSSc.exe
        
        C:\Windows\System\pySjSSc.exe
        5⤵
        
        PID:15320
    - - C:\Windows\System\eaTpLph.exe
        
        C:\Windows\System\eaTpLph.exe
        5⤵
        
        PID:2972
    - - C:\Windows\System\LskdRYD.exe
        
        C:\Windows\System\LskdRYD.exe
        5⤵
        
        PID:9180
    - - C:\Windows\System\RgxpmLH.exe
        
        C:\Windows\System\RgxpmLH.exe
        5⤵
        
        PID:15348
    - - C:\Windows\System\ebetbmR.exe
        
        C:\Windows\System\ebetbmR.exe
        5⤵
        
        PID:12364
    - - C:\Windows\System\RpBPOoF.exe
        
        C:\Windows\System\RpBPOoF.exe
        5⤵
        
        PID:16400
    - - C:\Windows\System\oNlEzsY.exe
        
        C:\Windows\System\oNlEzsY.exe
        5⤵
        
        PID:16424
    - - C:\Windows\System\DhvjjeT.exe
        
        C:\Windows\System\DhvjjeT.exe
        5⤵
        
        PID:16440
    - - C:\Windows\System\nPUvbnb.exe
        
        C:\Windows\System\nPUvbnb.exe
        5⤵
        
        PID:16456
    - - C:\Windows\System\ABiOMgE.exe
        
        C:\Windows\System\ABiOMgE.exe
        5⤵
        
        PID:16472
    - - C:\Windows\System\YtUrDCa.exe
        
        C:\Windows\System\YtUrDCa.exe
        5⤵
        
        PID:16488
    - - C:\Windows\System\uYXQqWT.exe
        
        C:\Windows\System\uYXQqWT.exe
        5⤵
        
        PID:16504
    - - C:\Windows\System\KNaCRoi.exe
        
        C:\Windows\System\KNaCRoi.exe
        5⤵
        
        PID:16520
    - - C:\Windows\System\ixkvBeN.exe
        
        C:\Windows\System\ixkvBeN.exe
        5⤵
        
        PID:16544
    - - C:\Windows\System\ZXkFDjU.exe
        
        C:\Windows\System\ZXkFDjU.exe
        5⤵
        
        PID:16560
    - - C:\Windows\System\rXclFas.exe
        
        C:\Windows\System\rXclFas.exe
        5⤵
        
        PID:16576
    - - C:\Windows\System\FJtHbdT.exe
        
        C:\Windows\System\FJtHbdT.exe
        5⤵
        
        PID:16592
    - - C:\Windows\System\wvZSBpx.exe
        
        C:\Windows\System\wvZSBpx.exe
        5⤵
        
        PID:16608
    - - C:\Windows\System\RXhsZNB.exe
        
        C:\Windows\System\RXhsZNB.exe
        5⤵
        
        PID:16624
    - - C:\Windows\System\GljhRfK.exe
        
        C:\Windows\System\GljhRfK.exe
        5⤵
        
        PID:16640
    - - C:\Windows\System\iPtodlZ.exe
        
        C:\Windows\System\iPtodlZ.exe
        5⤵
        
        PID:16656
    - - C:\Windows\System\ZrEZYzR.exe
        
        C:\Windows\System\ZrEZYzR.exe
        5⤵
        
        PID:16680
    - - C:\Windows\System\AUBbJwi.exe
        
        C:\Windows\System\AUBbJwi.exe
        5⤵
        
        PID:16696
    - - C:\Windows\System\nuaLMii.exe
        
        C:\Windows\System\nuaLMii.exe
        5⤵
        
        PID:16712
    - - C:\Windows\System\OkhsXXE.exe
        
        C:\Windows\System\OkhsXXE.exe
        5⤵
        
        PID:16728
    - - C:\Windows\System\ZcKZtTV.exe
        
        C:\Windows\System\ZcKZtTV.exe
        5⤵
        
        PID:16744
    - - C:\Windows\System\vLHjdoh.exe
        
        C:\Windows\System\vLHjdoh.exe
        5⤵
        
        PID:16760
    - - C:\Windows\System\hcVYhYF.exe
        
        C:\Windows\System\hcVYhYF.exe
        5⤵
        
        PID:17404
    - - C:\Windows\System\OHTZAtS.exe
        
        C:\Windows\System\OHTZAtS.exe
        5⤵
        
        PID:16212
    - - C:\Windows\System\kqgeXKs.exe
        
        C:\Windows\System\kqgeXKs.exe
        5⤵
        
        PID:14076
    - - C:\Windows\System\UFSkpwE.exe
        
        C:\Windows\System\UFSkpwE.exe
        5⤵
        
        PID:18292
    - - C:\Windows\System\jlQhyau.exe
        
        C:\Windows\System\jlQhyau.exe
        5⤵
        
        PID:18308
    - - C:\Windows\System\qnlykZq.exe
        
        C:\Windows\System\qnlykZq.exe
        5⤵
        
        PID:18324
    - - C:\Windows\System\OrSWUUu.exe
        
        C:\Windows\System\OrSWUUu.exe
        5⤵
        
        PID:18340
    - - C:\Windows\System\qNaYxLl.exe
        
        C:\Windows\System\qNaYxLl.exe
        5⤵
        
        PID:18356
    - - C:\Windows\System\IcgoClm.exe
        
        C:\Windows\System\IcgoClm.exe
        5⤵
        
        PID:18372
    - - C:\Windows\System\UkWTHqi.exe
        
        C:\Windows\System\UkWTHqi.exe
        5⤵
        
        PID:18392
    - - C:\Windows\System\nfgVsPa.exe
        
        C:\Windows\System\nfgVsPa.exe
        5⤵
        
        PID:18408
    - - C:\Windows\System\XTkfpNK.exe
        
        C:\Windows\System\XTkfpNK.exe
        5⤵
        
        PID:13916
    - - C:\Windows\System\UleYWrC.exe
        
        C:\Windows\System\UleYWrC.exe
        5⤵
        
        PID:16724
    - - C:\Windows\System\qhnHsQT.exe
        
        C:\Windows\System\qhnHsQT.exe
        5⤵
        
        PID:13248
    - - C:\Windows\System\jZZdDNB.exe
        
        C:\Windows\System\jZZdDNB.exe
        5⤵
        
        PID:11136
    - - C:\Windows\System\tyhVWNG.exe
        
        C:\Windows\System\tyhVWNG.exe
        5⤵
        
        PID:14760
    - - C:\Windows\System\jfziJin.exe
        
        C:\Windows\System\jfziJin.exe
        5⤵
        
        PID:14304
    - - C:\Windows\System\gUMPrtA.exe
        
        C:\Windows\System\gUMPrtA.exe
        5⤵
        
        PID:15364
    - - C:\Windows\System\yNIPkUN.exe
        
        C:\Windows\System\yNIPkUN.exe
        5⤵
        
        PID:15396
    - - C:\Windows\System\MbwCtab.exe
        
        C:\Windows\System\MbwCtab.exe
        5⤵
        
        PID:15440
    - - C:\Windows\System\YPwnMAy.exe
        
        C:\Windows\System\YPwnMAy.exe
        5⤵
        
        PID:15476
    - - C:\Windows\System\rbTsECw.exe
        
        C:\Windows\System\rbTsECw.exe
        5⤵
        
        PID:15524
    - - C:\Windows\System\bkqvjxc.exe
        
        C:\Windows\System\bkqvjxc.exe
        5⤵
        
        PID:15584
    - - C:\Windows\System\lDRTdQW.exe
        
        C:\Windows\System\lDRTdQW.exe
        5⤵
        
        PID:15616
    - - C:\Windows\System\frueeVi.exe
        
        C:\Windows\System\frueeVi.exe
        5⤵
        
        PID:15648
    - - C:\Windows\System\RXMJwNl.exe
        
        C:\Windows\System\RXMJwNl.exe
        5⤵
        
        PID:15688
    - - C:\Windows\System\acglpIk.exe
        
        C:\Windows\System\acglpIk.exe
        5⤵
        
        PID:15724
    - - C:\Windows\System\FPJnsYh.exe
        
        C:\Windows\System\FPJnsYh.exe
        5⤵
        
        PID:15764
    - - C:\Windows\System\dcyAxvb.exe
        
        C:\Windows\System\dcyAxvb.exe
        5⤵
        
        PID:15804
    - - C:\Windows\System\CtRILLG.exe
        
        C:\Windows\System\CtRILLG.exe
        5⤵
        
        PID:15836
    - - C:\Windows\System\XVKxlGH.exe
        
        C:\Windows\System\XVKxlGH.exe
        5⤵
        
        PID:15868
    - - C:\Windows\System\oYqwPUG.exe
        
        C:\Windows\System\oYqwPUG.exe
        5⤵
        
        PID:15900
    - - C:\Windows\System\qOQOWYY.exe
        
        C:\Windows\System\qOQOWYY.exe
        5⤵
        
        PID:17384
    - - C:\Windows\System\lxFBHFt.exe
        
        C:\Windows\System\lxFBHFt.exe
        5⤵
        
        PID:15960
    - - C:\Windows\System\bZioCZu.exe
        
        C:\Windows\System\bZioCZu.exe
        5⤵
        
        PID:15992
    - - C:\Windows\System\eRvIYrk.exe
        
        C:\Windows\System\eRvIYrk.exe
        5⤵
        
        PID:16088
    - - C:\Windows\System\NOeRlOS.exe
        
        C:\Windows\System\NOeRlOS.exe
        5⤵
        
        PID:18540
    - - C:\Windows\System\BwolrjE.exe
        
        C:\Windows\System\BwolrjE.exe
        5⤵
        
        PID:18588
    - - C:\Windows\System\HCjWuIu.exe
        
        C:\Windows\System\HCjWuIu.exe
        5⤵
        
        PID:18636
    - - C:\Windows\System\KRyORHl.exe
        
        C:\Windows\System\KRyORHl.exe
        5⤵
        
        PID:18664
    - - C:\Windows\System\cVIsIcX.exe
        
        C:\Windows\System\cVIsIcX.exe
        5⤵
        
        PID:18680
    - - C:\Windows\System\rejpYtg.exe
        
        C:\Windows\System\rejpYtg.exe
        5⤵
        
        PID:18696
    - - C:\Windows\System\fKzaajR.exe
        
        C:\Windows\System\fKzaajR.exe
        5⤵
        
        PID:18712
    - - C:\Windows\System\zEiaZEn.exe
        
        C:\Windows\System\zEiaZEn.exe
        5⤵
        
        PID:18728
    - - C:\Windows\System\MtkVHvd.exe
        
        C:\Windows\System\MtkVHvd.exe
        5⤵
        
        PID:18744
    - - C:\Windows\System\WQUXOva.exe
        
        C:\Windows\System\WQUXOva.exe
        5⤵
        
        PID:18760
    - - C:\Windows\System\KOJSDRv.exe
        
        C:\Windows\System\KOJSDRv.exe
        5⤵
        
        PID:18776
    - - C:\Windows\System\cQedMHe.exe
        
        C:\Windows\System\cQedMHe.exe
        5⤵
        
        PID:18792
    - - C:\Windows\System\fxNQlsr.exe
        
        C:\Windows\System\fxNQlsr.exe
        5⤵
        
        PID:18808
    - - C:\Windows\System\QTSAxof.exe
        
        C:\Windows\System\QTSAxof.exe
        5⤵
        
        PID:18824
    - - C:\Windows\System\dyvCBGJ.exe
        
        C:\Windows\System\dyvCBGJ.exe
        5⤵
        
        PID:18900
    - - C:\Windows\System\CUInliq.exe
        
        C:\Windows\System\CUInliq.exe
        5⤵
        
        PID:18940
    - - C:\Windows\System\cmNXrEV.exe
        
        C:\Windows\System\cmNXrEV.exe
        5⤵
        
        PID:18956
    - - C:\Windows\System\UXFkEIN.exe
        
        C:\Windows\System\UXFkEIN.exe
        5⤵
        
        PID:18996
    - - C:\Windows\System\NgjpAAw.exe
        
        C:\Windows\System\NgjpAAw.exe
        5⤵
        
        PID:19024
    - - C:\Windows\System\YJNNLjb.exe
        
        C:\Windows\System\YJNNLjb.exe
        5⤵
        
        PID:19044
    - - C:\Windows\System\CdlTihB.exe
        
        C:\Windows\System\CdlTihB.exe
        5⤵
        
        PID:19128
    - - C:\Windows\System\FaCJpyd.exe
        
        C:\Windows\System\FaCJpyd.exe
        5⤵
        
        PID:19144
    - - C:\Windows\System\RmaaHjl.exe
        
        C:\Windows\System\RmaaHjl.exe
        5⤵
        
        PID:19160
    - - C:\Windows\System\RvOYiiK.exe
        
        C:\Windows\System\RvOYiiK.exe
        5⤵
        
        PID:19176
    - - C:\Windows\System\HBokvph.exe
        
        C:\Windows\System\HBokvph.exe
        5⤵
        
        PID:19192
    - - C:\Windows\System\gAhbFkE.exe
        
        C:\Windows\System\gAhbFkE.exe
        5⤵
        
        PID:19208
    - - C:\Windows\System\KFAdTjh.exe
        
        C:\Windows\System\KFAdTjh.exe
        5⤵
        
        PID:19232
    - - C:\Windows\System\lQRnppJ.exe
        
        C:\Windows\System\lQRnppJ.exe
        5⤵
        
        PID:19248
    - - C:\Windows\System\slnlnco.exe
        
        C:\Windows\System\slnlnco.exe
        5⤵
        
        PID:19276
    - - C:\Windows\System\FdyaXKO.exe
        
        C:\Windows\System\FdyaXKO.exe
        5⤵
        
        PID:19300
    - - C:\Windows\System\tblilCb.exe
        
        C:\Windows\System\tblilCb.exe
        5⤵
        
        PID:19328
    - - C:\Windows\System\JburjDX.exe
        
        C:\Windows\System\JburjDX.exe
        5⤵
        
        PID:19344
    - - C:\Windows\System\ULimtBw.exe
        
        C:\Windows\System\ULimtBw.exe
        5⤵
        
        PID:19380
    - - C:\Windows\System\wjVRBgh.exe
        
        C:\Windows\System\wjVRBgh.exe
        5⤵
        
        PID:19396
    - - C:\Windows\System\VPPYZcA.exe
        
        C:\Windows\System\VPPYZcA.exe
        5⤵
        
        PID:19412
    - - C:\Windows\System\lZOAvRL.exe
        
        C:\Windows\System\lZOAvRL.exe
        5⤵
        
        PID:19436
    - - C:\Windows\System\EJKTzzK.exe
        
        C:\Windows\System\EJKTzzK.exe
        5⤵
        
        PID:2252
    - - C:\Windows\System\oZVKQTD.exe
        
        C:\Windows\System\oZVKQTD.exe
        5⤵
        
        PID:14344
    - - C:\Windows\System\PkbazMI.exe
        
        C:\Windows\System\PkbazMI.exe
        5⤵
        
        PID:14424
    - - C:\Windows\System\NczMTcE.exe
        
        C:\Windows\System\NczMTcE.exe
        5⤵
        
        PID:14464
    - - C:\Windows\System\eHadmgQ.exe
        
        C:\Windows\System\eHadmgQ.exe
        5⤵
        
        PID:14528
    - - C:\Windows\System\lJGPsYS.exe
        
        C:\Windows\System\lJGPsYS.exe
        5⤵
        
        PID:16704
    - - C:\Windows\System\oEpHSFO.exe
        
        C:\Windows\System\oEpHSFO.exe
        5⤵
        
        PID:17020
    - - C:\Windows\System\cOYtHwc.exe
        
        C:\Windows\System\cOYtHwc.exe
        5⤵
        
        PID:18624
    - - C:\Windows\System\rWrSYoZ.exe
        
        C:\Windows\System\rWrSYoZ.exe
        5⤵
        
        PID:19476
    - - C:\Windows\System\cfIxKtu.exe
        
        C:\Windows\System\cfIxKtu.exe
        5⤵
        
        PID:19712
    - - C:\Windows\System\qJNCZpJ.exe
        
        C:\Windows\System\qJNCZpJ.exe
        5⤵
        
        PID:19728
    - - C:\Windows\System\TAkYhtS.exe
        
        C:\Windows\System\TAkYhtS.exe
        5⤵
        
        PID:19748
    - - C:\Windows\System\UTeNxAd.exe
        
        C:\Windows\System\UTeNxAd.exe
        5⤵
        
        PID:19764
    - - C:\Windows\System\ZOMvlmw.exe
        
        C:\Windows\System\ZOMvlmw.exe
        5⤵
        
        PID:19808
    - - C:\Windows\System\tdIyohb.exe
        
        C:\Windows\System\tdIyohb.exe
        5⤵
        
        PID:19824
    - - C:\Windows\System\FZMkoiD.exe
        
        C:\Windows\System\FZMkoiD.exe
        5⤵
        
        PID:19848
    - - C:\Windows\System\MjUkdgq.exe
        
        C:\Windows\System\MjUkdgq.exe
        5⤵
        
        PID:19904
    - - C:\Windows\System\zcrdwJL.exe
        
        C:\Windows\System\zcrdwJL.exe
        5⤵
        
        PID:19948
    - - C:\Windows\System\VcXQnFF.exe
        
        C:\Windows\System\VcXQnFF.exe
        5⤵
        
        PID:19964
    - - C:\Windows\System\eEDLhxs.exe
        
        C:\Windows\System\eEDLhxs.exe
        5⤵
        
        PID:19984
    - - C:\Windows\System\KpLkmJl.exe
        
        C:\Windows\System\KpLkmJl.exe
        5⤵
        
        PID:20000
    - - C:\Windows\System\ccVHrEC.exe
        
        C:\Windows\System\ccVHrEC.exe
        5⤵
        
        PID:20016
    - - C:\Windows\System\nUSoKpN.exe
        
        C:\Windows\System\nUSoKpN.exe
        5⤵
        
        PID:20032
    - - C:\Windows\System\pqlhOLo.exe
        
        C:\Windows\System\pqlhOLo.exe
        5⤵
        
        PID:20060
    - - C:\Windows\System\VZABFcS.exe
        
        C:\Windows\System\VZABFcS.exe
        5⤵
        
        PID:20076
    - - C:\Windows\System\mzwTgPa.exe
        
        C:\Windows\System\mzwTgPa.exe
        5⤵
        
        PID:17896
    - - C:\Windows\System\kNaggBF.exe
        
        C:\Windows\System\kNaggBF.exe
        5⤵
        
        PID:17976
    - - C:\Windows\System\NfXvcfl.exe
        
        C:\Windows\System\NfXvcfl.exe
        5⤵
        
        PID:18008
    - - C:\Windows\System\JehMLAi.exe
        
        C:\Windows\System\JehMLAi.exe
        5⤵
        
        PID:18064
    - - C:\Windows\System\gtEyzoI.exe
        
        C:\Windows\System\gtEyzoI.exe
        5⤵
        
        PID:18096
    - - C:\Windows\System\XKssSpo.exe
        
        C:\Windows\System\XKssSpo.exe
        5⤵
        
        PID:18128
    - - C:\Windows\System\AdxWZen.exe
        
        C:\Windows\System\AdxWZen.exe
        5⤵
        
        PID:18160
    - - C:\Windows\System\cqfPnDU.exe
        
        C:\Windows\System\cqfPnDU.exe
        5⤵
        
        PID:6912
    - - C:\Windows\System\aNMvBhQ.exe
        
        C:\Windows\System\aNMvBhQ.exe
        5⤵
        
        PID:18600
    - - C:\Windows\System\OxMhNKw.exe
        
        C:\Windows\System\OxMhNKw.exe
        5⤵
        
        PID:19580
    - - C:\Windows\System\BzatvKg.exe
        
        C:\Windows\System\BzatvKg.exe
        5⤵
        
        PID:304
    - - C:\Windows\System\ebAXdln.exe
        
        C:\Windows\System\ebAXdln.exe
        5⤵
        
        PID:18280
    - - C:\Windows\System\Bmeunrs.exe
        
        C:\Windows\System\Bmeunrs.exe
        5⤵
        
        PID:18300
    - - C:\Windows\System\XDDGZsb.exe
        
        C:\Windows\System\XDDGZsb.exe
        5⤵
        
        PID:18348
    - - C:\Windows\System\JZmmcMh.exe
        
        C:\Windows\System\JZmmcMh.exe
        5⤵
        
        PID:19624
    - - C:\Windows\System\WGbWBAT.exe
        
        C:\Windows\System\WGbWBAT.exe
        5⤵
        
        PID:15368
    - - C:\Windows\System\pWFryta.exe
        
        C:\Windows\System\pWFryta.exe
        5⤵
        
        PID:19096
    - - C:\Windows\System\dBzUXHZ.exe
        
        C:\Windows\System\dBzUXHZ.exe
        5⤵
        
        PID:20144
    - - C:\Windows\System\SZLVQbC.exe
        
        C:\Windows\System\SZLVQbC.exe
        5⤵
        
        PID:16840
    - - C:\Windows\System\XjzrTdq.exe
        
        C:\Windows\System\XjzrTdq.exe
        5⤵
        
        PID:16516
    - - C:\Windows\System\ccmxBCg.exe
        
        C:\Windows\System\ccmxBCg.exe
        5⤵
        
        PID:17536
    - - C:\Windows\System\ISRwfMj.exe
        
        C:\Windows\System\ISRwfMj.exe
        5⤵
        
        PID:16292
    - - C:\Windows\System\AaOmcJQ.exe
        
        C:\Windows\System\AaOmcJQ.exe
        5⤵
        
        PID:15224
    - - C:\Windows\System\VNrijtu.exe
        
        C:\Windows\System\VNrijtu.exe
        5⤵
        
        PID:6804
    - - C:\Windows\System\HiDTlFR.exe
        
        C:\Windows\System\HiDTlFR.exe
        5⤵
        
        PID:5620
    - - C:\Windows\System\OWuisaZ.exe
        
        C:\Windows\System\OWuisaZ.exe
        5⤵
        
        PID:18444
    - - C:\Windows\System\OGykDDH.exe
        
        C:\Windows\System\OGykDDH.exe
        5⤵
        
        PID:18460
    - - C:\Windows\System\kVUIlPD.exe
        
        C:\Windows\System\kVUIlPD.exe
        5⤵
        
        PID:20332
    - - C:\Windows\System\GFXYrhz.exe
        
        C:\Windows\System\GFXYrhz.exe
        5⤵
        
        PID:18492
    - - C:\Windows\System\RKqylkm.exe
        
        C:\Windows\System\RKqylkm.exe
        5⤵
        
        PID:18508
    - - C:\Windows\System\dGMRLmM.exe
        
        C:\Windows\System\dGMRLmM.exe
        5⤵
        
        PID:18564
    - - C:\Windows\System\ieNzaLC.exe
        
        C:\Windows\System\ieNzaLC.exe
        5⤵
        
        PID:19468
    - - C:\Windows\System\oqIZSUZ.exe
        
        C:\Windows\System\oqIZSUZ.exe
        5⤵
        
        PID:18688
    - - C:\Windows\System\SvAhpJd.exe
        
        C:\Windows\System\SvAhpJd.exe
        5⤵
        
        PID:18724
    - - C:\Windows\System\NJiriHx.exe
        
        C:\Windows\System\NJiriHx.exe
        5⤵
        
        PID:19496
    - - C:\Windows\System\HMSeCFz.exe
        
        C:\Windows\System\HMSeCFz.exe
        5⤵
        
        PID:19488
    - - C:\Windows\System\egxLAej.exe
        
        C:\Windows\System\egxLAej.exe
        5⤵
        
        PID:18884
    - - C:\Windows\System\yrTODaD.exe
        
        C:\Windows\System\yrTODaD.exe
        5⤵
        
        PID:6456
    - - C:\Windows\System\UUgzTQp.exe
        
        C:\Windows\System\UUgzTQp.exe
        5⤵
        
        PID:19636
    - - C:\Windows\System\yCxHUjl.exe
        
        C:\Windows\System\yCxHUjl.exe
        5⤵
        
        PID:18924
    - - C:\Windows\System\njsGmHP.exe
        
        C:\Windows\System\njsGmHP.exe
        5⤵
        
        PID:17576
    - - C:\Windows\System\cpJuJWF.exe
        
        C:\Windows\System\cpJuJWF.exe
        5⤵
        
        PID:2612
    - - C:\Windows\System\CJJdRhE.exe
        
        C:\Windows\System\CJJdRhE.exe
        5⤵
        
        PID:17596
    - - C:\Windows\System\ENlemdt.exe
        
        C:\Windows\System\ENlemdt.exe
        5⤵
        
        PID:18992
    - - C:\Windows\System\NvDBfwk.exe
        
        C:\Windows\System\NvDBfwk.exe
        5⤵
        
        PID:19724
    - - C:\Windows\System\NMFDpLq.exe
        
        C:\Windows\System\NMFDpLq.exe
        5⤵
        
        PID:19780
    - - C:\Windows\System\QENHKHt.exe
        
        C:\Windows\System\QENHKHt.exe
        5⤵
        
        PID:17712
    - - C:\Windows\System\qqaSkvZ.exe
        
        C:\Windows\System\qqaSkvZ.exe
        5⤵
        
        PID:19068
    - - C:\Windows\System\lJjBOve.exe
        
        C:\Windows\System\lJjBOve.exe
        5⤵
        
        PID:20492
    - - C:\Windows\System\rfwIsFN.exe
        
        C:\Windows\System\rfwIsFN.exe
        5⤵
        
        PID:20508
    - - C:\Windows\System\cZnfCfT.exe
        
        C:\Windows\System\cZnfCfT.exe
        5⤵
        
        PID:20528
    - - C:\Windows\System\YtBrNMw.exe
        
        C:\Windows\System\YtBrNMw.exe
        5⤵
        
        PID:20548
    - - C:\Windows\System\fQOxNbo.exe
        
        C:\Windows\System\fQOxNbo.exe
        5⤵
        
        PID:20592
    - - C:\Windows\System\qLRySGw.exe
        
        C:\Windows\System\qLRySGw.exe
        5⤵
        
        PID:20608
    - - C:\Windows\System\RwklWHc.exe
        
        C:\Windows\System\RwklWHc.exe
        5⤵
        
        PID:20624
    - - C:\Windows\System\szBUIxP.exe
        
        C:\Windows\System\szBUIxP.exe
        5⤵
        
        PID:20644
    - - C:\Windows\System\wmeFNfL.exe
        
        C:\Windows\System\wmeFNfL.exe
        5⤵
        
        PID:20716
    - - C:\Windows\System\ApkFnOr.exe
        
        C:\Windows\System\ApkFnOr.exe
        5⤵
        
        PID:20740
    - - C:\Windows\System\tZiRWoE.exe
        
        C:\Windows\System\tZiRWoE.exe
        5⤵
        
        PID:20764
    - - C:\Windows\System\PJCotrf.exe
        
        C:\Windows\System\PJCotrf.exe
        5⤵
        
        PID:20808
    - - C:\Windows\System\CMiItpx.exe
        
        C:\Windows\System\CMiItpx.exe
        5⤵
        
        PID:20836
    - - C:\Windows\System\mnasdlh.exe
        
        C:\Windows\System\mnasdlh.exe
        5⤵
        
        PID:20860
    - - C:\Windows\System\jxhFAGN.exe
        
        C:\Windows\System\jxhFAGN.exe
        5⤵
        
        PID:20876
    - - C:\Windows\System\zgjiUWK.exe
        
        C:\Windows\System\zgjiUWK.exe
        5⤵
        
        PID:20928
    - - C:\Windows\System\mARWJHB.exe
        
        C:\Windows\System\mARWJHB.exe
        5⤵
        
        PID:20944
    - - C:\Windows\System\tMTmyof.exe
        
        C:\Windows\System\tMTmyof.exe
        5⤵
        
        PID:20960
    - - C:\Windows\System\NNzgdsb.exe
        
        C:\Windows\System\NNzgdsb.exe
        5⤵
        
        PID:20992
    - - C:\Windows\System\mzyezhe.exe
        
        C:\Windows\System\mzyezhe.exe
        5⤵
        
        PID:21012
    - - C:\Windows\System\tkZuOMg.exe
        
        C:\Windows\System\tkZuOMg.exe
        5⤵
        
        PID:21040
    - - C:\Windows\System\NjErKko.exe
        
        C:\Windows\System\NjErKko.exe
        5⤵
        
        PID:21076
    - - C:\Windows\System\MjRkGhx.exe
        
        C:\Windows\System\MjRkGhx.exe
        5⤵
        
        PID:21092
    - - C:\Windows\System\wjtELUv.exe
        
        C:\Windows\System\wjtELUv.exe
        5⤵
        
        PID:21156
    - - C:\Windows\System\jNkqPkK.exe
        
        C:\Windows\System\jNkqPkK.exe
        5⤵
        
        PID:21200
    - - C:\Windows\System\iCOeiWE.exe
        
        C:\Windows\System\iCOeiWE.exe
        5⤵
        
        PID:21216
    - - C:\Windows\System\djHIyST.exe
        
        C:\Windows\System\djHIyST.exe
        5⤵
        
        PID:21244
    - - C:\Windows\System\QvlzdGz.exe
        
        C:\Windows\System\QvlzdGz.exe
        5⤵
        
        PID:21260
    - - C:\Windows\System\FfdAjLO.exe
        
        C:\Windows\System\FfdAjLO.exe
        5⤵
        
        PID:21296
    - - C:\Windows\System\KNpMtyR.exe
        
        C:\Windows\System\KNpMtyR.exe
        5⤵
        
        PID:21312
    - - C:\Windows\System\vgbiuSQ.exe
        
        C:\Windows\System\vgbiuSQ.exe
        5⤵
        
        PID:21340
    - - C:\Windows\System\QglpRrG.exe
        
        C:\Windows\System\QglpRrG.exe
        5⤵
        
        PID:21360
    - - C:\Windows\System\QVIfQse.exe
        
        C:\Windows\System\QVIfQse.exe
        5⤵
        
        PID:21376
    - - C:\Windows\System\izxSQQg.exe
        
        C:\Windows\System\izxSQQg.exe
        5⤵
        
        PID:21440
    - - C:\Windows\System\weqhvuo.exe
        
        C:\Windows\System\weqhvuo.exe
        5⤵
        
        PID:21460
    - - C:\Windows\System\ZyrmTjm.exe
        
        C:\Windows\System\ZyrmTjm.exe
        5⤵
        
        PID:19152
    - - C:\Windows\System\xqBcYRx.exe
        
        C:\Windows\System\xqBcYRx.exe
        5⤵
        
        PID:19268
    - - C:\Windows\System\ePOoIvt.exe
        
        C:\Windows\System\ePOoIvt.exe
        5⤵
        
        PID:18080
    - - C:\Windows\System\BENlISw.exe
        
        C:\Windows\System\BENlISw.exe
        5⤵
        
        PID:19340
    - - C:\Windows\System\eNIagUp.exe
        
        C:\Windows\System\eNIagUp.exe
        5⤵
        
        PID:16184
    - - C:\Windows\System\rpTqHzQ.exe
        
        C:\Windows\System\rpTqHzQ.exe
        5⤵
        
        PID:13780
    - - C:\Windows\System\QlzJECk.exe
        
        C:\Windows\System\QlzJECk.exe
        5⤵
        
        PID:15196
    - - C:\Windows\System\VuaIVdu.exe
        
        C:\Windows\System\VuaIVdu.exe
        5⤵
        
        PID:20196
    - - C:\Windows\System\iUxvpSF.exe
        
        C:\Windows\System\iUxvpSF.exe
        5⤵
        
        PID:18364
    - - C:\Windows\System\JBDVyau.exe
        
        C:\Windows\System\JBDVyau.exe
        5⤵
        
        PID:12972
    - - C:\Windows\System\HjYtLUA.exe
        
        C:\Windows\System\HjYtLUA.exe
        5⤵
        
        PID:15236
    - - C:\Windows\System\NHpDQwn.exe
        
        C:\Windows\System\NHpDQwn.exe
        5⤵
        
        PID:7108
    - - C:\Windows\System\XzDOKAI.exe
        
        C:\Windows\System\XzDOKAI.exe
        5⤵
        
        PID:20400
    - - C:\Windows\System\pktACto.exe
        
        C:\Windows\System\pktACto.exe
        5⤵
        
        PID:20416
    - - C:\Windows\System\wRIHHdb.exe
        
        C:\Windows\System\wRIHHdb.exe
        5⤵
        
        PID:20432
    - - C:\Windows\System\zfKoZSn.exe
        
        C:\Windows\System\zfKoZSn.exe
        5⤵
        
        PID:15508
    - - C:\Windows\System\aDQOyFd.exe
        
        C:\Windows\System\aDQOyFd.exe
        5⤵
        
        PID:16708
    - - C:\Windows\System\lVQxCNN.exe
        
        C:\Windows\System\lVQxCNN.exe
        5⤵
        
        PID:16908
    - - C:\Windows\System\pIfCBqE.exe
        
        C:\Windows\System\pIfCBqE.exe
        5⤵
        
        PID:17016
    - - C:\Windows\System\oVMSGDP.exe
        
        C:\Windows\System\oVMSGDP.exe
        5⤵
        
        PID:652
    - - C:\Windows\System\bnHQiNg.exe
        
        C:\Windows\System\bnHQiNg.exe
        5⤵
        
        PID:7852
    - - C:\Windows\System\gEOjgFb.exe
        
        C:\Windows\System\gEOjgFb.exe
        5⤵
        
        PID:7620
    - - C:\Windows\System\uLYZKvq.exe
        
        C:\Windows\System\uLYZKvq.exe
        5⤵
        
        PID:18452
    - - C:\Windows\System\OzrToYV.exe
        
        C:\Windows\System\OzrToYV.exe
        5⤵
        
        PID:19524
    - - C:\Windows\System\vkdCIzC.exe
        
        C:\Windows\System\vkdCIzC.exe
        5⤵
        
        PID:19568
    - - C:\Windows\System\VnRDIka.exe
        
        C:\Windows\System\VnRDIka.exe
        5⤵
        
        PID:15388
    - - C:\Windows\System\rXtjpXm.exe
        
        C:\Windows\System\rXtjpXm.exe
        5⤵
        
        PID:19632
    - - C:\Windows\System\EIftAvW.exe
        
        C:\Windows\System\EIftAvW.exe
        5⤵
        
        PID:18740
    - - C:\Windows\System\EJGoxwa.exe
        
        C:\Windows\System\EJGoxwa.exe
        5⤵
        
        PID:18860
    - - C:\Windows\System\KoReyov.exe
        
        C:\Windows\System\KoReyov.exe
        5⤵
        
        PID:17664
    - - C:\Windows\System\QDJlSGY.exe
        
        C:\Windows\System\QDJlSGY.exe
        5⤵
        
        PID:19840
    - - C:\Windows\System\jGiIHzR.exe
        
        C:\Windows\System\jGiIHzR.exe
        5⤵
        
        PID:21520
    - - C:\Windows\System\lpOIEza.exe
        
        C:\Windows\System\lpOIEza.exe
        5⤵
        
        PID:21552
    - - C:\Windows\System\mXFjfUI.exe
        
        C:\Windows\System\mXFjfUI.exe
        5⤵
        
        PID:21576
    - - C:\Windows\System\hAyXJCa.exe
        
        C:\Windows\System\hAyXJCa.exe
        5⤵
        
        PID:21600
    - - C:\Windows\System\qqxsvap.exe
        
        C:\Windows\System\qqxsvap.exe
        5⤵
        
        PID:21644
    - - C:\Windows\System\GHiwsJX.exe
        
        C:\Windows\System\GHiwsJX.exe
        5⤵
        
        PID:21680
    - - C:\Windows\System\YnIbOYI.exe
        
        C:\Windows\System\YnIbOYI.exe
        5⤵
        
        PID:21724
    - - C:\Windows\System\QZqifkv.exe
        
        C:\Windows\System\QZqifkv.exe
        5⤵
        
        PID:21752
    - - C:\Windows\System\oTIAhea.exe
        
        C:\Windows\System\oTIAhea.exe
        5⤵
        
        PID:21780
    - - C:\Windows\System\BLaGKut.exe
        
        C:\Windows\System\BLaGKut.exe
        5⤵
        
        PID:21804
    - - C:\Windows\System\CLkcyPY.exe
        
        C:\Windows\System\CLkcyPY.exe
        5⤵
        
        PID:21824
    - - C:\Windows\System\ffJdQcS.exe
        
        C:\Windows\System\ffJdQcS.exe
        5⤵
        
        PID:21840
    - - C:\Windows\System\NXGMkWx.exe
        
        C:\Windows\System\NXGMkWx.exe
        5⤵
        
        PID:21856
    - - C:\Windows\System\HvPEoWA.exe
        
        C:\Windows\System\HvPEoWA.exe
        5⤵
        
        PID:21880
    - - C:\Windows\System\smXyrkS.exe
        
        C:\Windows\System\smXyrkS.exe
        5⤵
        
        PID:21896
    - - C:\Windows\System\oFHIBYR.exe
        
        C:\Windows\System\oFHIBYR.exe
        5⤵
        
        PID:21928
    - - C:\Windows\System\FIjSHYS.exe
        
        C:\Windows\System\FIjSHYS.exe
        5⤵
        
        PID:22012
    - - C:\Windows\System\bzQGGzy.exe
        
        C:\Windows\System\bzQGGzy.exe
        5⤵
        
        PID:22036
    - - C:\Windows\System\ShshHRE.exe
        
        C:\Windows\System\ShshHRE.exe
        5⤵
        
        PID:22052
    - - C:\Windows\System\yvATShW.exe
        
        C:\Windows\System\yvATShW.exe
        5⤵
        
        PID:22080
    - - C:\Windows\System\UjrODsa.exe
        
        C:\Windows\System\UjrODsa.exe
        5⤵
        
        PID:22104
    - - C:\Windows\System\iwHGHSY.exe
        
        C:\Windows\System\iwHGHSY.exe
        5⤵
        
        PID:22120
    - - C:\Windows\System\golyNpi.exe
        
        C:\Windows\System\golyNpi.exe
        5⤵
        
        PID:21348
    - - C:\Windows\System\iiWnmla.exe
        
        C:\Windows\System\iiWnmla.exe
        5⤵
        
        PID:21480
    - - C:\Windows\System\EKuFxwH.exe
        
        C:\Windows\System\EKuFxwH.exe
        5⤵
        
        PID:19116
    - - C:\Windows\System\ricahEQ.exe
        
        C:\Windows\System\ricahEQ.exe
        5⤵
        
        PID:17568
    - - C:\Windows\System\lLmNGYU.exe
        
        C:\Windows\System\lLmNGYU.exe
        5⤵
        
        PID:5320
    - - C:\Windows\System\kmKAFRF.exe
        
        C:\Windows\System\kmKAFRF.exe
        5⤵
        
        PID:19324
    - - C:\Windows\System\iFSZHPS.exe
        
        C:\Windows\System\iFSZHPS.exe
        5⤵
        
        PID:5672
    - - C:\Windows\System\dVSdevG.exe
        
        C:\Windows\System\dVSdevG.exe
        5⤵
        
        PID:2424
    - - C:\Windows\System\yrCliSg.exe
        
        C:\Windows\System\yrCliSg.exe
        5⤵
        
        PID:5772
    - - C:\Windows\System\TadCIJb.exe
        
        C:\Windows\System\TadCIJb.exe
        5⤵
        
        PID:17728
    - - C:\Windows\System\ZPFGLvz.exe
        
        C:\Windows\System\ZPFGLvz.exe
        5⤵
        
        PID:4612
    - - C:\Windows\System\lvBdYNK.exe
        
        C:\Windows\System\lvBdYNK.exe
        5⤵
        
        PID:10444
    - - C:\Windows\System\qPGvCMv.exe
        
        C:\Windows\System\qPGvCMv.exe
        5⤵
        
        PID:7672
    - - C:\Windows\System\XpKCNkY.exe
        
        C:\Windows\System\XpKCNkY.exe
        5⤵
        
        PID:19484
    - - C:\Windows\System\SRFEGBt.exe
        
        C:\Windows\System\SRFEGBt.exe
        5⤵
        
        PID:19504
    - - C:\Windows\System\OtNrbIp.exe
        
        C:\Windows\System\OtNrbIp.exe
        5⤵
        
        PID:19600
    - - C:\Windows\System\ucXXciE.exe
        
        C:\Windows\System\ucXXciE.exe
        5⤵
        
        PID:18660
    - - C:\Windows\System\OaTMDpW.exe
        
        C:\Windows\System\OaTMDpW.exe
        5⤵
        
        PID:21596
    - - C:\Windows\System\ililsOT.exe
        
        C:\Windows\System\ililsOT.exe
        5⤵
        
        PID:21732
    - - C:\Windows\System\wBAJAwy.exe
        
        C:\Windows\System\wBAJAwy.exe
        5⤵
        
        PID:17028
    - - C:\Windows\System\kClNJbZ.exe
        
        C:\Windows\System\kClNJbZ.exe
        5⤵
        
        PID:21544
    - - C:\Windows\System\YpJsqqs.exe
        
        C:\Windows\System\YpJsqqs.exe
        5⤵
        
        PID:21620
    - - C:\Windows\System\JxYIwZF.exe
        
        C:\Windows\System\JxYIwZF.exe
        5⤵
        
        PID:20556
    - - C:\Windows\System\KRIDeXh.exe
        
        C:\Windows\System\KRIDeXh.exe
        5⤵
        
        PID:21848
    - - C:\Windows\System\wqLJWMu.exe
        
        C:\Windows\System\wqLJWMu.exe
        5⤵
        
        PID:20084
    - - C:\Windows\System\DsSdYFd.exe
        
        C:\Windows\System\DsSdYFd.exe
        5⤵
        
        PID:9740
    - - C:\Windows\System\bymeFmk.exe
        
        C:\Windows\System\bymeFmk.exe
        5⤵
        
        PID:20820
    - - C:\Windows\System\hQTkQRj.exe
        
        C:\Windows\System\hQTkQRj.exe
        5⤵
        
        PID:20660
  - - C:\Users\Admin\Downloads\240919-pwav9szann_eb5a6e6aceac7224a39a67546e5dc3a6_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pwav9szann_eb5a6e6aceac7224a39a67546e5dc3a6_JaffaCakes118.exe
      4⤵
      PID:14728
  - - C:\Users\Admin\Downloads\240919-pllj1syekn_SPW AW25 - PO.010.exe
      "C:\Users\Admin\Downloads\240919-pllj1syekn_SPW AW25 - PO.010.exe"
      4⤵
      PID:15352
  - - C:\Users\Admin\Downloads\240919-pvestszakj_15a750c533230b02c56d241191c78d1f55c3145e80baa2d596f17c6c309cb035N.exe
      C:\Users\Admin\Downloads\240919-pvestszakj_15a750c533230b02c56d241191c78d1f55c3145e80baa2d596f17c6c309cb035N.exe
      4⤵
      PID:9172
  - - C:\Users\Admin\Downloads\240919-pzadxayfqe_eb5cc00c030e8d22ffb8fada31c6ef5a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pzadxayfqe_eb5cc00c030e8d22ffb8fada31c6ef5a_JaffaCakes118.exe
      4⤵
      PID:16152
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.exe
        5⤵
        
        PID:17672
  - - C:\Users\Admin\Downloads\240919-pnyx5ayfmn_Pedido_52038923_CotizacionS_max2024.bat.exe
      C:\Users\Admin\Downloads\240919-pnyx5ayfmn_Pedido_52038923_CotizacionS_max2024.bat.exe
      4⤵
      PID:15104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15104 -s 1064
        5⤵
        Program crash
        
        PID:15380
  - - C:\Users\Admin\Downloads\240919-pmgx8ayenp_24a81e1b909c4155a7a4d818e281dc6f183501204300661b55ec404b94020b25N.exe
      C:\Users\Admin\Downloads\240919-pmgx8ayenp_24a81e1b909c4155a7a4d818e281dc6f183501204300661b55ec404b94020b25N.exe
      4⤵
      PID:13820
    - - C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        5⤵
        
        PID:19796
      - C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        6⤵
        
        PID:17736
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        7⤵
        
        PID:19756
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        8⤵
        
        PID:16500
  - - C:\Users\Admin\Downloads\240919-pvsdxszalq_c18257cd9fbca49a1748093a8401b0313747181d6db99b4647b64d36bb5c38f7N.exe
      C:\Users\Admin\Downloads\240919-pvsdxszalq_c18257cd9fbca49a1748093a8401b0313747181d6db99b4647b64d36bb5c38f7N.exe
      4⤵
      PID:19088
    - - C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        5⤵
        
        PID:19932
      - C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        6⤵
        
        PID:20572
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        7⤵
        
        PID:18584
  - - C:\Users\Admin\Downloads\240919-pncpwsyard_Doc _180924.exe
      "C:\Users\Admin\Downloads\240919-pncpwsyard_Doc _180924.exe"
      4⤵
      PID:20128
  - - C:\Users\Admin\Downloads\240919-pqd1qsygkm_PO-27893493.exe
      C:\Users\Admin\Downloads\240919-pqd1qsygkm_PO-27893493.exe
      4⤵
      PID:15144
  - - C:\Users\Admin\Downloads\240919-pmtl1syapd_eb54d97463126d2c847af3d180f96770_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-pmtl1syapd_eb54d97463126d2c847af3d180f96770_JaffaCakes118.exe
      4⤵
      PID:21320
  - - C:\Users\Admin\Downloads\240919-pt2k7syhrl_44b64a395000f678979aceb27b896870f458ed124fa1e4ad9c2acc6491ef84daN.exe
      C:\Users\Admin\Downloads\240919-pt2k7syhrl_44b64a395000f678979aceb27b896870f458ed124fa1e4ad9c2acc6491ef84daN.exe
      4⤵
      PID:21944
    - - C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        5⤵
        
        PID:15216
  - - C:\Users\Admin\Downloads\240919-p1nypazcnl_066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8.exe
      C:\Users\Admin\Downloads\240919-p1nypazcnl_066692a03f240a40c237f5ec3270d27cac1fda40630dd29f40db006b79a542a8.exe
      4⤵
      PID:21960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3740 -ip 3740
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4500 -ip 4500
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2376 -ip 2376
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5724 -ip 5724
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3916 -ip 3916
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5568 -ip 5568
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5500 -ip 5500
1⤵
PID:7532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3116 -ip 3116
1⤵
PID:8156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1980 -ip 1980
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5184 -ip 5184
1⤵
PID:7900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1980 -ip 1980
1⤵
PID:8316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7816 -ip 7816
1⤵
PID:7272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7816 -ip 7816
1⤵
PID:10204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3916 -ip 3916
1⤵
PID:8512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3824 -ip 3824
1⤵
PID:11228

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2296
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN2" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN.exe'" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3536
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:9872
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN2" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\legal\javafx\240919-p16hqszcql_e945f807f1294deb50fed243c01bcf11c8a16f2fcbb6f74189ee1ad4802171beN.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7544
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe'" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6248
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:13372
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN2" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\240919-pzqqwsygjf_813a0d08212efc73e6570227bede27f6a902862772d57485685cfbe5f8465e4eN.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:13928
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp2" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp.exe'" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:13472
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:13916
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp2" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:13764
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "CbpajgmfC" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\Cbpajgmf.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:18648
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "Cbpajgmf" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\Cbpajgmf.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:18596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:11944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 7816 -ip 7816
1⤵
PID:10432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 10024 -ip 10024
1⤵
PID:7788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 9944 -ip 9944
1⤵
PID:9788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1108 -ip 1108
1⤵
PID:13464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 7556 -ip 7556
1⤵
PID:13792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 13048 -ip 13048
1⤵
PID:14052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8312 -ip 8312
1⤵
PID:12936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 13948 -ip 13948
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 10660 -ip 10660
1⤵
PID:14012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 10468 -ip 10468
1⤵
PID:12516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 10444 -ip 10444
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 11228 -ip 11228
1⤵
PID:13776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e3855 /state1:0x41c64e6d
1⤵
PID:13184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7816 -ip 7816
1⤵
PID:17520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 15104 -ip 15104
1⤵
PID:19696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7776 -ip 7776
1⤵
PID:20168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 5816 -ip 5816
1⤵
PID:22304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 7816 -ip 7816
1⤵
PID:19060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5xrlrll.exe

Filesize
73KB

MD5
99702c614a0f29ec113f04b570f30390

SHA1
09802aedc51dad06d2c89d965d07362227fabcf6

SHA256
9597ae9ac4793f84cf5036051904aa5c7d1b06b9c71c5f5f74462e31e5efd5e0

SHA512
269a0cd81f1b733277ae9ebd32e7ba24bbba957b4b71fae177516abeab7b4e75d3a7ddb109be2328ed9c032bef657783ffdf5c09390cdb748da884b6f329b201

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\240919-pz318azcll_2880-30-0x0000000000400000-0x0000000000440000-memory.dmp.exe

Filesize
817KB

MD5
e7b40591ce63306e32f43a9ba66c1770

SHA1
d81d0ce32233a0a288a53bec94990b2b5c8120d0

SHA256
6de62e421f9a46f1c1576bdd3ea88a71599957ecdbf52b393c8a68d258bd871b

SHA512
0b2aabf6b1aee43306cd213c707afcddaa7d76a29be4a37386a767f3f58c32f5498425ca83ad0f41e0a027a1780f3b8335dcd0c143813580a8bc4496ef6bd2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MUFQOQI9\m[1].htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_asyncio.pyd

Filesize
62KB

MD5
2859c39887921dad2ff41feda44fe174

SHA1
fae62faf96223ce7a3e6f7389a9b14b890c24789

SHA256
aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

SHA512
790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_cffi_backend.cp311-win_amd64.pyd

Filesize
174KB

MD5
739d352bd982ed3957d376a9237c9248

SHA1
961cf42f0c1bb9d29d2f1985f68250de9d83894d

SHA256
9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

SHA512
585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_multiprocessing.pyd

Filesize
32KB

MD5
1386dbc6dcc5e0be6fef05722ae572ec

SHA1
470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

SHA256
0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

SHA512
ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_overlapped.pyd

Filesize
48KB

MD5
01ad7ca8bc27f92355fd2895fc474157

SHA1
15948cd5a601907ff773d0b48e493adf0d38a1a6

SHA256
a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

SHA512
8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_tcl_data\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_tkinter.pyd

Filesize
61KB

MD5
442304ce4ad2d40e0d85a89b52b6d272

SHA1
5b5add527dd6fea47d4caa923694eee8d741b488

SHA256
6ff6cc788f1ab19de383810ddbd15ecd5fc8216faf5e1e406bbf9a608fbb9991

SHA512
df5a47780a6642c310417c2d2e8c439eb2a324d9318ef1ea5af36c5657cc34a8aa950edbe5f91869bf0d50cccebcb7a08447dbcfdc75e29acc8c72327f231e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\base_library.zip

Filesize
1.4MB

MD5
481da210e644d6b317cafb5ddf09e1a5

SHA1
00fe8e1656e065d5cf897986c12ffb683f3a2422

SHA256
3242ea7a6c4c712f10108a619bf5213878146547838f7e2c1e80d2778eb0aaa0

SHA512
74d177794f0d7e67f64a4f0c9da4c3fd25a4d90eb909e942e42e5651cc1930b8a99eef6d40107aa8756e75ffbcc93284b916862e24262df897aaac97c5072210

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\numpy\core\_multiarray_umath.cp311-win_amd64.pyd

Filesize
2.7MB

MD5
ea2e696dd221290a44fc7f095c4f185b

SHA1
dd5ae42ae6d2678d65b003ba4ca8286a80586869

SHA256
c76d812fa5131fe21c8bf9ffbd910f27df80856f910fa61698f23f60cfd9d13e

SHA512
7a811681652fb53d2da2ec0042b73a6b75b95defc9b47422df0148832a71079832a10d45ac6e457d26a708a30544ad45f08a87e61426c1f3c8252e48c6374b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\win32\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\zstandard\backend_c.cp311-win_amd64.pyd

Filesize
512KB

MD5
dc08f04c9e03452764b4e228fc38c60b

SHA1
317bcc3f9c81e2fc81c86d5a24c59269a77e3824

SHA256
b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f

SHA512
fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgbpv.exe

Filesize
97KB

MD5
4d69c533277773bb0076f57f57d982ff

SHA1
cfccefd43a7328c4252f7a6039f72a6d5906dcea

SHA256
8ad7258d63723a2c3c26c904259f25d94942d637b24299424dbe642da6eeafc7

SHA512
63d46bc27788a3f56cbeec50e8e75d1345d7a83667ef7fe83bdcc68f69ba3cf355b7941da816e0c97465819c62df737639c10631b287465f47e26a8f633e167e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
86KB

MD5
425609a2c35081730982a01d72a76cbe

SHA1
64f95fe985a7ef7ee4f396e36279aa31498ac3cc

SHA256
e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3

SHA512
6ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\dsh.exe

Filesize
76KB

MD5
58e1cac304966817b3e1403fe22be76d

SHA1
a814e76b74d4a9b2f1f7709507892d7f0709a59b

SHA256
ec397fce9b0fe02480a6512f1dc9a1dbacae7658354326d2499dd6bf76797977

SHA512
1068a64701eb5de036d36ab7d3fb5c6cf8a2097b61112872183d222e61f58a077f87f2bfbf423f775be5236ac608440881c84d02cca0c47e9fd79d71585f9f76

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
34KB

MD5
1c2aa61ab804b1fd3eaf0e9c2f8d31aa

SHA1
8a631179b8d6c51ce5b073c4ccc28ba99f81d039

SHA256
cec5d1436c625a66df1d2345924b49cb366367af25788c48e9510f45a0b8b17c

SHA512
42012052f7747344dcd5b6cad02e4848d4b63c347e2e4a1a9957fc1525755339974bc17d0ccc2a3dd4f9c75e3696a69c7a792acb0a8e2f4ec2c94c61dc8a0f71

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
84KB

MD5
98ccb6806d126e3a211b963d3341efd7

SHA1
108dfe1979c04c588f87d6fc2bb57c3ac10f6742

SHA256
11f00d48ecd890e9b8658c652a6283ead05dea9bcd641d89d0bd7f0f618f3cd2

SHA512
373caadac1ad290d60ea41663482946889ae9e0fea96115e21ba38d19d2bf6123c47501190c3fb33ef51aa07f6dbddc4eab43b82cbc008c4f83684707e1d3510

Download Submit
C:\Users\Admin\RustAntich1eat.exe

Filesize
827KB

MD5
eefb801774c5ccb44153268a9357f5f1

SHA1
b1906b22e14edd142c52808ab3e5ba9346b85de5

SHA256
677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

SHA512
1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

Download Submit
C:\Users\Admin\Umbral.exe

Filesize
230KB

MD5
4647720ef8607199527cb3b0bc793587

SHA1
0728b0cc0fc7e0a1a8ed14c0861f8757780e4163

SHA256
349bfc065bf0580379be8c6e0d0dca592deec1bfc104d8d28c70454436de6337

SHA512
906baf94232c9f76d193021345259d01e23d81b3d9a948067035979235fd45e739e89b8047148f61d2f210c40e561067a040100ccacebbf8921050f12a0281f8

Download Submit
C:\Users\Admin\laiyua.exe

Filesize
208KB

MD5
0a181860b182a2ea537eeeffbc8ab328

SHA1
958f00938888817f57d53cf863dbaca029f3329e

SHA256
b4fe8cdabad83678c6917d244f1994679082f5f6a3393b5189421356d4b10657

SHA512
71c61321371f984103f402333105cc93e8a8158e083e0ce3e95aa606b62a3536d2c06c5afe5f13387e760c55993fe5f1a55c415328a8f52737bdcdcbbd56aafb

Download Submit
C:\Users\Admin\laiyua.exe

Filesize
236KB

MD5
e2041ad474832bf38a7d53057a4a60af

SHA1
42ec8a15280fd131733e07a435b52d83fdf5da90

SHA256
52d652cb0335984f69e96d95658d4f44f98212e571e9b86220e6d405362b4686

SHA512
caef65633799d0b4c8a374e435bc070766f5ffb46211e78f40ab792801a9264394eb8571d9bc03e915aabf539031c1f845226b198c93a29a2983f59a6323d627

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
becbe7b7cac88c6a2f2a94474be06986

SHA1
f5ff2dc180110d7933f9c7d8759a9e1237657e4d

SHA256
6807959a8104c56db8435f02df779b9df2cd0485b435c69acae7f4b8a9611bf7

SHA512
2bff5826f9e25cb626e351718a994255de39ea80ecd8bc6e0f409df949e53b8d960aec7b72a060efc50cb94d0c64ca03945870429da161c5aedaeb151bd175b4

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
45KB

MD5
abf6d926fea99573592eca70d17dbe5e

SHA1
04ca864d012250a05b7367efed1eac95518f18f3

SHA256
9495a2b36cbbe37e6cc01986e2d96184a62a301227765dc68c2a24903ec311b5

SHA512
3dff4942a79d81422b295768eb236563d5e598407fa1df766dd0c6ff23f96a07b1343c5d2500e362cd64586006f43321e26d34f8872d3daced87f5e466224726

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
64KB

MD5
68d3d3c3608ac8f16907f4e44e977751

SHA1
9c50c65191d67ec6312f14d6dc7e8e2ba21b76a5

SHA256
1b2a71a45d1d4f63549f43082b0d885399c14332477931f02d88aa9b7dd936df

SHA512
b0b01fb9f58b39a99e812d6253959779590f29eb70ab6690aa4b3dc65c34c12ee3ac2c57e9e3c71c07193ccfca73e0e52c482ebbb052e162ca1d956bf98a92e7

Download Submit
C:\Windows\SysWOW64\Ccdnjp32.exe

Filesize
64KB

MD5
fad76eb007c64b29dba13f297df0af43

SHA1
6508de69b7a08b9497e85cc174ababeb4897d893

SHA256
418ba153a316e4eb116c6cf2b847a680b6cd89b138394a3cb5f6fb0660f51f08

SHA512
62865a5e1a6d08cce0437ff827f796e80ce57955e2407b8ae865745afb841fe0a83831d17118120dd40c28ab4beea9ba1d94d290521f223ec36c52aabdcdd9ea

Download Submit
C:\Windows\SysWOW64\Eiohdo32.dll

Filesize
7KB

MD5
177d0d88622d8b15a258d249fb1d2650

SHA1
8edd7fd91d1d9a5e73cd22155e40484d89d43194

SHA256
edeed56103ed40365859b0b6cebea1aa1fdb611d71244dc46e11830c073994f2

SHA512
cd889070ae5eb1191c386c61643782e098ea758ae0d778ded9b6ea55840e7d0bcd98bdda404e41362ddbcb3e274f1dce0552849bfdf4c3f95dd7def716089101

Download Submit
C:\Windows\SysWOW64\Glaecb32.dll

Filesize
7KB

MD5
9985f935d5c3940205054273db902346

SHA1
32854872761be9bb30dba4180b6ec21861d23781

SHA256
6ac772d807b81033198d98063b6cdfe5afea5ab6d96dd9752ba0a443e66d34c7

SHA512
53c929f7e83edb0008d9eb77dba825744fdd6a4b87fc7fd037ba763a98930113fe141943a8963ff92f9ebec6a65eb725a68405af8ad6406a9abec4d28595e719

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
192KB

MD5
2a59f9c8cfcba08bc4b386d3d83ffd61

SHA1
6c6c73fc8ed837ed9bea3539fcac7792f92b904b

SHA256
727ff206593d4081411235c23f2052af56a704e9be3c957eb824b386f04040d8

SHA512
5c4a689b9f1d39f10bd097a01958f3d0c7f05fd8e3539f4342490dc69bee4ef89bdcd0615febfda77cf18863fb29f6ada7f0f4c1a8db0817db142c0ce178fc45

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
45KB

MD5
976f7c6bc3b1ced8bd40d9feff9dc439

SHA1
f7d8a71d27ecbf282a678237b3f95af0980c4a58

SHA256
f34c1d631cf86c28335d5b6a064d118d5e5b471ecdd1626c201207f78b006852

SHA512
53b1cd2f2b0c6e38ef7dd20f278b363bd8e485c2bc427de06631cba0a3d81867d5029cb15269c40a62371665f6bac3b240135af75081ce30ed69197ff7dbe12c

Download Submit
C:\Windows\SysWOW64\Omegjomb.exe

Filesize
45KB

MD5
870e62e00d3e3bc50704c3d6206885cf

SHA1
bebb5c3806b7a1631e2906263d16a02fcb6789ac

SHA256
5cd12e11a309f40e1895a35b775d182032601581a9cb85b9f0ddd3e08289714f

SHA512
b02d03c2cf8969d69365de567d558651865882969096ece996079d3c37fe1054b545c8c2d30d80d5fef2f9b0a05151a1e24fc0de4023347f0c98f88968acfd3a

Download Submit
C:\Windows\SysWOW64\Palbgl32.exe

Filesize
464KB

MD5
42244586c65d9cd07982865b00761128

SHA1
c22517ac6703d4ba43d166e58ba031611ef35307

SHA256
da9e113206fea9798d8f9c8858486373ec793b2674284195076e3ec1ff7cf868

SHA512
76b2a09c97f079227e278cd47803def8ebcbc273f687913af1c6668c4db9fad83e13ad5192aa13c6dc30f0e93080f22b2c7175b298e4725c8485cd84f68e6f7f

Download Submit
C:\Windows\SysWOW64\Pmaffnce.exe

Filesize
80KB

MD5
8c1765d679269755a50b9dbf6cc34f53

SHA1
3bef3b0ec880d7e416601dc7cf71e17fa12b64a4

SHA256
2e3e38c02f267bd222b26d56aec0bba7986ac81a52870d4d56f1f74559e9f9ed

SHA512
1cef345d98e24304e3a2ab10b98e18b25bf924ac73847a29d67471426e0f0439f6d849bd107d404c8f2934560a579bd60ddea5bd3d163581a43e76e635d12460

Download Submit
C:\Windows\SysWOW64\kvkmxleu.nls

Filesize
428B

MD5
534cda6b48a4f4eeba156fae0d91da91

SHA1
ee02d7d2b5f6d35d717c818ca9751af162d39795

SHA256
66180bbde64bd522c568ee505c86f8757942a6d7cbe969b7240660c1ff31bba9

SHA512
e4be76b12a415264990f8e9767356b66676f4d2ddd478c6765d0a614032e9a57547f040c6d86cdbcf5b2bca32857850843d7550611cf1e6ea8a2179ae6996c7a

Download Submit
C:\Windows\SysWOW64\kvkmxleu.tmp

Filesize
2.2MB

MD5
8c133f19d7fdcc1f0d88acca920fa7a0

SHA1
772dbb3a92e4562db2ff3a530cff2bcb2ed11012

SHA256
862ebfdcf3d49591dd2077e5caa376ed14684c531ef63e128d38c53834c01a64

SHA512
e8012945e30b0bde53a989fc5db4977392e24f3268fd305397cee8c2e94ca487439f3de3ce95890e73fc22f87c715e3003ecf9ffc0250ce1e034dedf54683fb1

Download Submit
C:\Windows\SysWOW64\twex.exe

Filesize
511KB

MD5
1f684aa494b5c83517c0595e55f04f48

SHA1
de4346c9e4d5febf8757e6ca3b28123583c133e5

SHA256
4284d82725488ae78e0a2eec99ce8979817bac8f1226cf86ccc75ece05903e44

SHA512
64c27f28991a19c412fecdfaf8399c7e7afc0f76430c5c540454db131d8b02dbfd1d0dbc5b4cdea75247e8a83ad861a38df60e886306ddead9696269e41f3eba

Download Submit
C:\Windows\System\iplKNQl.exe

Filesize
1.8MB

MD5
19fc0bb19276e088aaff224025d0e24b

SHA1
c66cb31347c9b3e2d9ab9e880a82645d1b5d942d

SHA256
8ef516075004ab319b6807bc65c86f9a6d02f133c13263c378d11b06d8a9c1be

SHA512
e308e80578bd80262e79a1cba9acfa4e0e3136ef420bae89fad8897498c62172366b730620a361494a309bc7ae311c5f7303f5126a57eed438db75d934ac642e

Download Submit
C:\Windows\svchest425075242507520.exe

Filesize
376KB

MD5
eb5c919afd904cf62615161c2c83720f

SHA1
9365bb524d789108ad53b9182717bf4215e8368b

SHA256
6a5591070d201485ed848d8240f70aca37cbaf95d192c08b4f0b0a9a1c23e970

SHA512
504a8c36f3424cb0afa38fe43d0b81b513c5947131e282e7f8083429155c3bf15ade86f732a1cde15104cb24f9cd10e4dd53edb44705c826016b30e81e74908c

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\backup.exe

Filesize
450KB

MD5
54734ee865ec15e2aca5e1a065d175ab

SHA1
64b31fbf53f6b2ad9f06bc527acd9d6dadcd6319

SHA256
d4de47c49a4f8d9935d4f0db977ee5b2e7f63a5042df57c3394ab76d7259e120

SHA512
bf7ee088a02e025f78fc9ef5f068983704712a97d0621e75c278c54f090addcc02cef22b2cb68b543ea8a82517baba908cf765eb248dfb71160804f44dcc2dbd

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
3acc2748eea7193dcf89a9307bcbb739

SHA1
0aa2091b0e4d9262d53091bff4ded26fb9c07357

SHA256
e6f04e3a8b958cffde8c207a8feba00e73fc3d3c3c8e9d5ffb5bae515a049be4

SHA512
1a640c0ade750bde213a0372707f2e1fa5faba21c97c1f2087f6a4ab712e38bbae21486c5d18303dde532c9f2966fea56da45754ae9d6121efbf8e36b7641ca2

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
2a67cf2d2e0b3a34672817fba103b350

SHA1
198ed4dd537ecba04aa167007b1699b48803c534

SHA256
129db05bbbd8153b0c7d3cb2d0a4cc86e73001b18622edb38d26323d826c9869

SHA512
726eae6844f7b091d922a0ece9448bc567ac9c4932ab0290460cb5b63f5b9e3b23fed2a52fcae9dc9eb2c450349a5a6d656503ed4bd2508ce3476fe899c462be

Download Submit
memory/228-1630-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/244-1219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/244-1276-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/244-1321-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/352-1477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-1331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-1191-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1112-1324-0x0000000002300000-0x0000000002302000-memory.dmp

Filesize
8KB

Download
memory/1112-1325-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1112-1453-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1500-1224-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/1500-1083-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-1198-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1508-1514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-1136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-1268-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1744-1317-0x0000000002030000-0x0000000002032000-memory.dmp

Filesize
8KB

Download
memory/1836-1691-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-1281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-1220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-1761-0x0000000000400000-0x00000000006F883B-memory.dmp

Filesize
3.0MB

Download
memory/2084-1071-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-1194-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2084-1222-0x0000000002130000-0x0000000002132000-memory.dmp

Filesize
8KB

Download
memory/2084-1193-0x0000000002130000-0x0000000002132000-memory.dmp

Filesize
8KB

Download
memory/2108-1138-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/2108-1158-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/2108-1252-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/2108-1151-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/2108-1106-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2164-1097-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-1310-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/2164-1250-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2296-1217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-1218-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2472-1274-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2472-1184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-1320-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/2528-1185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-1322-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/2528-1278-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2532-1311-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/2532-1107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-1254-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2648-1282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-1534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-2272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-1215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-1332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-1280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-1196-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3448-1223-0x0000000002C80000-0x0000000002C82000-memory.dmp

Filesize
8KB

Download
memory/3608-2274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-1264-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3824-1692-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3904-1260-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3904-1314-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3904-1128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-1690-0x0000000000400000-0x00000000006EF83B-memory.dmp

Filesize
2.9MB

Download
memory/4152-1248-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4152-1246-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/4152-1084-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-1216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-1784-0x0000000000FB0000-0x0000000001082000-memory.dmp

Filesize
840KB

Download
memory/4468-1279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-1270-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/4476-1422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-1148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-1262-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4500-1145-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/4500-1315-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/4500-1146-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4500-1330-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4500-1147-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4500-1129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4528-1622-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4616-1312-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

Filesize
8KB

Download
memory/4616-1256-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4616-1116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-1765-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4652-1316-0x0000000002140000-0x0000000002142000-memory.dmp

Filesize
8KB

Download
memory/4652-1266-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4652-1137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-1515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-1762-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-1117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-1313-0x00000000006A0000-0x00000000006A2000-memory.dmp

Filesize
8KB

Download
memory/4856-1258-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/4856-1283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-1319-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/4872-1149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-1272-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4872-1425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-1535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-1333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-1763-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5272-1764-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5280-1628-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/5288-1516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5296-1629-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5344-1358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-2275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5384-1359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5428-2273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-1520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-1519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5480-1360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-1767-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5548-1766-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-1768-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5652-1518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5696-1450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5736-1451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5780-1517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-1426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5880-1455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5904-1536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5920-1452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6100-1454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-1621-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6300-1769-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6364-1770-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6420-1771-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6460-2264-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6492-1833-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6500-2053-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6540-1834-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6548-1835-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6556-1836-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6616-1909-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6632-1910-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/6776-2261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6848-2262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6888-2263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6956-2265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6984-2266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7020-2268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7040-2269-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7092-2270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/7136-2271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads