berbew | 94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f

Analysis

max time kernel
59s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DoomRat.exe
Size

12.1MB
MD5

b6f21ecc31778ba2362958d1e5091759
SHA1

613dbf4e682fe14b8617908113fc5c7ba05de16a
SHA256

94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f
SHA512

d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d
SSDEEP

393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnoaaaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240920-qltq3ayenq061645157812ff9d6fa0f18fac137727bb7d61779020748613a2fd855af42d2eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkokcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbphg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	240920-qbf28axfmgc58396ee6fe28f6b6da46e965fead2154b8e51a6abb86ad73b68499a243cd048N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loighj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llpchaqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfaajnfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilqoobdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240920-qeqqtsybrqfb603adcb40e71e06f1114e301aebb78be904818dff545a9c8158453057b0aa2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhehkepj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpomccg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detects MyDoom family 4 IoCs

resource	yara_rule
behavioral2/memory/5768-422-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/2968-245-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/2968-176-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/files/0x0007000000024e35-12866.dat	family_mydoom

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023f94-15192.dat	family_gh0strat
behavioral2/files/0x000a000000023fa5-15196.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\WINDOWS\\system32\\MsCM32.exe"	240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	240920-qb1fvsxfped43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	240920-p8p6qaxhjreda44d9dd372786b7c8c9710442a294a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe"	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 21 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Arquivos de programas\Internet Explorer\6.5\svchosts.exe = "C:\\Arquivos de programas\\Internet Explorer\\6.5\\svchosts.exe:*:Enabled:svchosts.exe"	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Downloads\240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe = "C:\\Users\\Admin\\Downloads\\240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe:*:Enabled:ipsec"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Key created	\REGISTRY\MACHINE\System\Controlset001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\5ba632a2\jusched.exe = "C:\\Program Files (x86)\\5ba632a2\\jusched.exe:*:Enabled:JavaUpdate21"	240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\Mcoepkdo.exe = "C:\\Windows\\SysWOW64\\Mcoepkdo.exe:*:Enabled:ipsec"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\pcne.exe = "C:\\WINDOWS\\pcne.exe:*:Enabled:pcne.exe"	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\resender.exe = "C:\\WINDOWS\\resender.exe:*:Enabled:resender.exe"	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Downloads\240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe = "C:\\Users\\Admin\\Downloads\\240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe:*:enabled:@shell32.dll,-1"	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Mcoepkdo.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	puazui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/6784-723-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 768 created 11624	768	240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe	418

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Mcoepkdo.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000243bc-7575.dat	modiloader_stage2

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\12962 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccgkia.cmd"	msiexec.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6JRRMFJ0-4T5K-4A50-51XT-LM2J48287K63}	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6JRRMFJ0-4T5K-4A50-51XT-LM2J48287K63}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe Restart"	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5744	powershell.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8408	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	240920-qb1fvsxfped43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	240920-pyd1psxakced9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2896	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
2968	240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
1132	Cohkokgj.exe
4388	Cnkkjh32.exe
3348	Cdecgbfa.exe
3940	Dkokcl32.exe
928	Dokgdkeh.exe
4904	Dbicpfdk.exe
2052	Ddgplado.exe
3476	Dmohno32.exe
848	Domdjj32.exe
4192	Dbkqfe32.exe
4392	Ddjmba32.exe
1996	Dheibpje.exe
4816	Dooaoj32.exe
2308	240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe
4760	Dbnmke32.exe
1828	Dfiildio.exe
1640	Digehphc.exe
5156	Dmcain32.exe
5192	Dkfadkgf.exe
5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
5244	Dndnpf32.exe
5296	240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
5304	Ddnfmqng.exe
5352	Dkhnjk32.exe
5424	Dfnbgc32.exe
5460	Eiloco32.exe
5540	Efpomccg.exe
5572	Eecphp32.exe
5632	Eoideh32.exe
5668	Enkdaepb.exe
5680	240920-qlm9aayenjfile.exe
5752	Eokqkh32.exe
5768	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
5804	Ebimgcfi.exe
5864	Eblimcdf.exe
5916	services.exe
5924	Ekdnei32.exe
6012	Fmcjpl32.exe
6092	Fbpchb32.exe
1124	240920-ptnz4swgnfBackdoor.Win32.Berbew.AA.MTB-0eee6dad188b5809a34976a1d88a54a8e44afeb52737c4caccea135cc3caf3d3N
4320	Flkdfh32.exe
3048	Fbelcblk.exe
5416	Fmmmfj32.exe
5520	Fnnjmbpm.exe
5652	Gfeaopqo.exe
6508	Gifkpknp.exe
6560	Gldglf32.exe
6632	Gncchb32.exe
6772	240920-p8sxlsxenbacfeb6c0b7ba5a352256acc7319c8d2aa817c3af3fcd68cc508b2977212e4d32N.exe
6816	Glgcbf32.exe
6872	Gflhoo32.exe
6924	Geohklaa.exe
7036	Gmfplibd.exe
7092	Gimqajgh.exe
5728	Gpgind32.exe
5852	Gojiiafp.exe
5912	Hfaajnfb.exe
5956	240920-p8e1raxema6e8222906d72ba0b57d40bd15cda5be06e19c5ec185e37d09528ad058b2fce49N.exe
6068	Hpiecd32.exe
5040	Hfcnpn32.exe
3492	Hefnkkkj.exe
7216	Hmmfmhll.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe

Loads dropped DLL 26 IoCs

pid	Process
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
4712	DoomRat.exe
5168	Regsvr32.exe
9196	240920-prhqbawfnged987470d312b0ad62b6eabcd751b00b_JaffaCakes118.exe
9180	240920-p9yjgsxhqj25bafa2018b75ef616c76f48fe87aa33fd2b2afb9a1bc8923fbe92af82beb12eN.exe
11128	240920-pznxasxdmk384601ce9d5b15f2fc46f59ad2ea668675787b217565bc141291233190c25390N.exe
6256	240920-qkdnfsydrjffb76b552990f325604ec8fe20bd48ac713b818febb830218d7175c36d517cdbN.exe
9376	240920-qh8qtaydmqe6653815847a48ccd23c521abf6be773bdaf1a8d8d49033674d9867070468989N.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023dcf-3597.dat	upx
behavioral2/files/0x00090000000243ff-7740.dat	upx
behavioral2/files/0x0007000000024038-4379.dat	upx
behavioral2/files/0x0008000000024000-4070.dat	upx
behavioral2/files/0x0008000000023f11-1688.dat	upx
behavioral2/memory/5916-505-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5212-419-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/5212-417-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/5212-398-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/5768-422-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5212-420-0x0000000031420000-0x000000003143B000-memory.dmp	upx
behavioral2/memory/5212-381-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/5212-344-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/5212-324-0x0000000031420000-0x000000003143B000-memory.dmp	upx
behavioral2/memory/2968-245-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/2968-176-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/files/0x0007000000024a5f-10212.dat	upx
behavioral2/files/0x0007000000024e35-12866.dat	upx

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Mcoepkdo.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rdgpo.exe"	cnpxlft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /j"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uvtsfubf.exe"	dqwatkcv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jfpxnb.exe"	xckuetd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /t"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /B"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /N"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eCIUkkwM.exe = "C:\\Users\\Admin\\YeAUkAQQ\\eCIUkkwM.exe"	eCIUkkwM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tvkleyi = "C:\\Users\\Admin\\AppData\\Roaming\\Tvkleyi.exe"	240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /E"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /F"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /h"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\oaoht.exe"	edjzi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	240920-qb1fvsxfped43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /D"	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /c"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wIEoUggg.exe = "C:\\ProgramData\\RkUUkEsg\\wIEoUggg.exe"	wIEoUggg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /U"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xckuetd.exe"	rdgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /i"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\guajncc.exe"	jfpxnb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /Y"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /K"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WorkUpdate = "C:\\WINDOWS\\system32\\MsCM32.exe"	240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dqwatkcv.exe"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\izidzguv.exe"	uvtsfubf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	240920-qbm6jayankeda64880f77ed2226cf9dd5cf314ae4e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /S"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched21 = "C:\\Program Files (x86)\\5ba632a2\\jusched.exe"	240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /u"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /M"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /e"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cnpxlft.exe"	oaoht.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /Z"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /s"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /I"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eCIUkkwM.exe = "C:\\Users\\Admin\\YeAUkAQQ\\eCIUkkwM.exe"	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wIEoUggg.exe = "C:\\ProgramData\\RkUUkEsg\\wIEoUggg.exe"	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ucyhp.exe"	nngkmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\edjzi.exe"	ucyhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /l"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Windows\\pcne.exe"	240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /J"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /Q"	puazui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puazui = "C:\\Users\\Admin\\puazui.exe /V"	puazui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dkjmqb.exe"	guajncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nngkmlg.exe"	izidzguv.exe

Blocklisted process makes network request 13 IoCs

flow	pid	Process
293	9172	msiexec.exe
294	9172	msiexec.exe
306	9172	msiexec.exe
308	9172	msiexec.exe
313	9172	msiexec.exe
561	9172	msiexec.exe
321	9172	msiexec.exe
323	9172	msiexec.exe
324	9172	msiexec.exe
325	9172	msiexec.exe
326	9172	msiexec.exe
566	9172	msiexec.exe
335	9172	msiexec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe

Enumerates connected drives 3 TTPs 35 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\L:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\M:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\T:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\W:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\J:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\E:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\H:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\V:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\U:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\N:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\Q:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\P:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\S:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\S:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\P:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\K:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\L:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\N:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\O:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\R:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\H:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\O:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\U:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\T:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\E:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\G:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\G:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\I:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\J:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\Q:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened (read-only)	\??\I:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\K:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\R:	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened (read-only)	\??\M:	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
11	pastebin.com
15	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
295	checkip.dyndns.org

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe

Program crash 22 IoCs

pid	pid_target	Process	procid_target
10216	9180	WerFault.exe	375
11740	10748	WerFault.exe	430
5508	6612	Process not Found	478
12252	6612	Process not Found	478
14016	10748	Process not Found	430
7304	9920	Process not Found	985
5472	10748	Process not Found	430
2688	5304	Process not Found
2552	876	Process not Found
7932	6612	Process not Found	478
4600	6612	WerFault.exe	478
16152	10748	WerFault.exe	430
10244	6472	Process not Found
12572	10064	WerFault.exe	521
11372	6612	WerFault.exe	478
11356	11528	WerFault.exe	465
8856	5168	WerFault.exe	1133
8652	9196	WerFault.exe
7620	5664	Process not Found	1611
16912	10748	Process not Found	430
7424	6612	Process not Found	478
4092	6612	Process not Found	478

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eiloco32.exe	Dkhnjk32.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Hefnkkkj.exe	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Ilqoobdd.exe	Iipfmggc.exe
File opened for modification	C:\Windows\SysWOW64\Jofalmmp.exe	Jmbhoeid.exe
File opened for modification	C:\WINDOWS\SysWOW64\LLCGHG32.EXE	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Jhafck32.dll	Kpanan32.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Gpdennml.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	240920-p8nmwsxemgbdec8ef959b2869ed4a098d79191d6573c5faf7c50d9a6abd176713d2eda40c0N.exe
File opened for modification	C:\Windows\SysWOW64\Bimach32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Maaekg32.exe
File opened for modification	C:\WINDOWS\SysWOW64\AALMIMFD.EXE	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File created	C:\Windows\System32\eOEOURb.exe	240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
File created	C:\Windows\SysWOW64\Ebcneqod.dll	Eblimcdf.exe
File created	C:\Windows\SysWOW64\Eeccjdie.dll	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	240920-px53ssxajf4aa22b1a9231b6ca5a59bef2b6fac78427b2b4ee4423310b6a916344900095b2N.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Edqnimdf.dll	Kckqbj32.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
File created	C:\Windows\System32\rXPuEEu.exe	240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
File created	C:\Windows\SysWOW64\Hbohpn32.exe	Hlpfhe32.exe
File created	C:\Windows\SysWOW64\Lblldc32.dll	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Ickglm32.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Jghpbk32.exe	Iplkpa32.exe
File opened for modification	C:\Windows\SysWOW64\Iqaiga32.exe	Hjlaoioh.exe
File opened for modification	C:\Windows\SysWOW64\Jenmcggo.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Eelche32.dll	Kpoalo32.exe
File opened for modification	C:\Windows\SysWOW64\ntos.exe	240920-p8p6qaxhjreda44d9dd372786b7c8c9710442a294a_JaffaCakes118.exe
File created	C:\Windows\System32\SqtpbTh.exe	240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
File opened for modification	C:\Windows\SysWOW64\Cohkokgj.exe	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lfeljd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Mmmqhl32.exe	Mmhgmmbf.exe
File created	C:\Windows\SysWOW64\Pijmiq32.dll	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Kofkbk32.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Lckiihok.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Mqfpckhm.exe	Mmfkhmdi.exe
File created	C:\Windows\SysWOW64\Ifenan32.dll	Jinboekc.exe
File created	C:\Windows\System32\XaPWuMP.exe	240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
File created	C:\Windows\SysWOW64\Mhmmieil.exe	Kppbejka.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	240920-qaah2sxhrk8ccc5a9f3ea214983ba2418b8fb4b4d333279caaf8c95703687bda36accdbe4aN.exe
File opened for modification	C:\WINDOWS\SysWOW64\CNJDPAKI.EXE	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Iomoenej.exe	Ibfnqmpf.exe
File created	C:\Windows\SysWOW64\Kgffoo32.dll	Iefgbh32.exe
File opened for modification	C:\Windows\SysWOW64\Kjlopc32.exe	Kcpjnjii.exe
File opened for modification	C:\Windows\SysWOW64\Hkmncbbm.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Fmmmfj32.exe	240920-ptnz4swgnfBackdoor.Win32.Berbew.AA.MTB-0eee6dad188b5809a34976a1d88a54a8e44afeb52737c4caccea135cc3caf3d3N
File created	C:\Windows\SysWOW64\Hmbphg32.exe	Hfcnpn32.exe
File created	C:\Windows\SysWOW64\Kcpjnjii.exe	Kjeiodek.exe
File opened for modification	C:\Windows\SysWOW64\Ljkghi32.exe	Bmimdg32.exe
File opened for modification	C:\WINDOWS\SysWOW64\FNFFHGON.EXE	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Jjdiadlg.dll	Jmopmalc.exe
File opened for modification	C:\Windows\SysWOW64\Cdecgbfa.exe	Cnkkjh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiildio.exe	240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe
File created	C:\Windows\SysWOW64\Jiglnf32.exe	Ioolkncg.exe
File created	C:\Windows\SysWOW64\Kgflcifg.exe	Jedccfqg.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	240920-px53ssxajf4aa22b1a9231b6ca5a59bef2b6fac78427b2b4ee4423310b6a916344900095b2N.exe
File opened for modification	C:\WINDOWS\SysWOW64\DPOPBEPI.EXE	240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Joahqn32.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Anfmbd32.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\svchost.exe	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
File created	C:\Windows\System32\QAhWoio.exe	240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5680 set thread context of 6784	5680	240920-qlm9aayenjfile.exe	143
PID 9820 set thread context of 9320	9820	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe	408
PID 768 set thread context of 11004	768	240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe	432
PID 3812 set thread context of 1408	3812	240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe	536
PID 7932 set thread context of 7788	7932	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe	568

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	240920-qk384syelkedac62408b8856c7353817b68bef60ce_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\DAhCDiD.exe	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\099b5c0ab0c876	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\Program Files (x86)\5ba632a2\jusched.exe	240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
File created	C:\Program Files (x86)\5ba632a2\5ba632a2	240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\DAhCDiD.exe	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\PROGRA~3\LOCALS~1\Temp\ccgkia.cmd	msiexec.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\DKfbnQR.exe	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\329f61d52668df	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\Program Files\7-Zip\Lang\lYyVETy.exe	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
File created	C:\Program Files\7-Zip\Lang\fbdc3ac883967d	240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BIxCUGr.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\PHgucVs.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\hSMhgrF.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\cslduHM.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\SifeLvP.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\hINeMTV.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\gMBWXsu.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\DpfeTNA.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\JknRIVs.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\HkyzsKD.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\PmaXSUA.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\XeBzzxt.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\HOyhBaq.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File created	C:\Windows\System\cqDgoJH.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\qOIdQzy.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\zUZRqFo.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\IFFplrJ.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\HahLgfg.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\fOaafVK.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\tmqEgFH.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\PBRPeod.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\zAnNSkL.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\dZrYnqm.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\oFmEAaD.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\WpsmuVk.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\YhYuSgi.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\XULDCts.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\VxDAZdP.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\SraYAtu.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\RYanXXB.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\YNubKWk.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\aSvXbBX.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\NoViMRv.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\SMlizzy.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\bEceqOU.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\tiMahZs.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\nOwpQUT.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\DQwSEqK.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\MhiRxdA.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\JlyjBZN.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\pqMOzTR.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\KtaScYC.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\cMGJgvm.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
File created	C:\Windows\System\LVtwGgx.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\yKQaQQf.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\WKJyjju.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\QIVxFtl.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\yZNpJtc.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\JvKiBgj.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\AjbaPKV.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\AeGmhfe.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\UxgxLVW.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\vifwxsu.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\jDEBqQD.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\NkoLWmM.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\GkPHond.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\SFkCkvi.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\MvSCCto.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\SsUIPFs.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\System\EkSbVBc.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
File created	C:\Windows\lsass.exe	240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
File created	C:\Windows\System\jgxaCCf.exe	240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekdnei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jebfng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcfggkac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-qj9dqsydqne74a32e009cb8730cd1f3d529ca944ec72215b4b4a075b2e0b596608db66a52aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjvpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-p1cknaxdpm1fc10f9b2761624cc2fe649f39a53c6ffb5ead322076161e136b4ccf6ea3a465N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhjae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joahqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaagkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggejg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-qgkycsxhmceda9af60aedff23e13dce0da64d09d03_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-pys5maxalhed9dbfe711729666fea40b1e08f5d0e2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnfjehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofkbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjdvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiildio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcimdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-p8p6qaxhjreda44d9dd372786b7c8c9710442a294a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcoaglhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-p9w1naxhpqeda52dc5ca55d40d087dbac5aba60e07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmohno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebimgcfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ppjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	llxrrll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcaknbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedccfqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cnpxlft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loighj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpmdfonj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-qlr78sybmaedacbadd9b726b4bb5fd13b96d6409ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpoalo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvtsfubf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rllxrlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240920-p133lsxblged9f7a0516013b514212e62606b55892_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhceh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucyhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfaajnfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jofalmmp.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1228	taskkill.exe
9692	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TYPEDURLS	240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.51jk5.com"	240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.51jk5.com"	240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240920-qgxbdsydjja02e4d5b4125aab036d9223b3fb522ee377e3e68b376aa01285c25446928a491N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	240920-qdvndsxgmed7f287f64be25e712ef14f64de6802ef3b1dbcb251e9fce4e26171193ca525c4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command	240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240920-qgjqasycqkdcdfe0e34f08bb17bdde6d169cb251eef1fd37b2a6425e120ae13c555da54df1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfmbd32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll"	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjhjae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Likcdpop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ickglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll"	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdblhj32.dll"	Fbpchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpmbjhg.dll"	Nkpbpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phajna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddnfmqng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggahmjd.dll"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhodeflk.dll"	Lhmjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll"	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgkmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240920-qbf28axfmgc58396ee6fe28f6b6da46e965fead2154b8e51a6abb86ad73b68499a243cd048N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkkjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll"	240920-qde8psybljfad84387b1d210642cee885ee1f929a95340600a5f99f6d4489a4c07f7722b73N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	240920-p9hg9sxeqd0669979483ebee857ec43749e104d092f79049a7167639d47a3431120485a1e4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmncbbm.dll"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gncchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbelcblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll"	Jgpfbjlo.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
3772	reg.exe
5384	reg.exe
7676	reg.exe
11664	reg.exe
9324	reg.exe
7080	reg.exe
4588	reg.exe
9072	reg.exe
9332	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
6216	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
6216	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
6216	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
6216	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
9600	240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
9600	240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
8308	userinit.exe
8308	userinit.exe
8004	240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
8004	240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
7540	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
7540	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
9396	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
9396	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
9396	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
9396	240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
8652	WerFault.exe
8652	WerFault.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
11652	iexpress.exe
11652	iexpress.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
8096	explorer.exe
8096	explorer.exe
8096	explorer.exe
8096	explorer.exe
8856	WerFault.exe
8856	WerFault.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
768	240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
768	240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid
4
4
4
4

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
1408	240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe
1408	240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
9800	240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Token: SeDebugPrivilege	5212	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
9320	240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
11076	240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
5296	240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
7540	240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
8240	240920-qkx24ayargedac41ffb727204b9ecfc2c75f919c5b_JaffaCakes118.exe
9600	240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
9600	240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
8308	userinit.exe
8308	userinit.exe
8004	240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
8004	240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
8096	explorer.exe
8096	explorer.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
10116	spoolsv.exe
7300	240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
10116	spoolsv.exe
8340	svchost.exe
8340	svchost.exe
6904	IMDCSC.exe
7484	240920-p9w1naxhpqeda52dc5ca55d40d087dbac5aba60e07_JaffaCakes118.exe
6472	puazui.exe
8164	spoolsv.exe
8164	spoolsv.exe
8688	240920-qckrssxfreeda6e58af1b4b78c707d1f94684d0d88_JaffaCakes118.exe
11232	240920-p9x8qaxereeda53730e142fc1d1d24f231edc2d306_JaffaCakes118.exe
9680	240920-p7h11sxgpkeda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe
11164	240920-p7xt6sxgqmeda3c8802aa54cb0c5b574604a256cea_JaffaCakes118.exe
5824	240920-ptzfvaxblj296deb014deddbad300c2ba8f156ba599e6a57efeffb42f5afc19fe88c5fc811N.exe
852	240920-qgxl6axhneeda9e92acebfb21133cfaf6eac807914_JaffaCakes118.exe
208	240920-qgkycsxhmceda9af60aedff23e13dce0da64d09d03_JaffaCakes118.exe
11140	240920-pzadxaxanced9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
11140	240920-pzadxaxanced9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
8996	240920-p2l6gsxekmed9ff149f56b2740d186e53182369530_JaffaCakes118.exe
7932	240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
6432	240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
11224	240920-qbdxvsyaml8abbdef95beac2aec293a8b8f0feedcf8941466fd2a6171e7c2d1f44d3a07019N.exe
8784	explorer.exe
11612	240920-qgmf7axhmeeda9ba49db1396afbe40b1ed8fa20918_JaffaCakes118.exe
11224	240920-qbdxvsyaml8abbdef95beac2aec293a8b8f0feedcf8941466fd2a6171e7c2d1f44d3a07019N.exe
8784	explorer.exe
9920	240920-p133lsxblged9f7a0516013b514212e62606b55892_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
9196	240920-prhqbawfnged987470d312b0ad62b6eabcd751b00b_JaffaCakes118.exe
9180	240920-p9yjgsxhqj25bafa2018b75ef616c76f48fe87aa33fd2b2afb9a1bc8923fbe92af82beb12eN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4712	1116	DoomRat.exe	85
PID 1116 wrote to memory of 4712	1116	DoomRat.exe	85
PID 4712 wrote to memory of 4084	4712	DoomRat.exe	89
PID 4712 wrote to memory of 4084	4712	DoomRat.exe	89
PID 4712 wrote to memory of 2896	4712	DoomRat.exe	92
PID 4712 wrote to memory of 2896	4712	DoomRat.exe	92
PID 4712 wrote to memory of 2896	4712	DoomRat.exe	92
PID 4712 wrote to memory of 2968	4712	DoomRat.exe	93
PID 4712 wrote to memory of 2968	4712	DoomRat.exe	93
PID 4712 wrote to memory of 2968	4712	DoomRat.exe	93
PID 2896 wrote to memory of 1132	2896	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe	94
PID 2896 wrote to memory of 1132	2896	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe	94
PID 2896 wrote to memory of 1132	2896	240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe	94
PID 1132 wrote to memory of 4388	1132	Cohkokgj.exe	95
PID 1132 wrote to memory of 4388	1132	Cohkokgj.exe	95
PID 1132 wrote to memory of 4388	1132	Cohkokgj.exe	95
PID 4388 wrote to memory of 3348	4388	Cnkkjh32.exe	96
PID 4388 wrote to memory of 3348	4388	Cnkkjh32.exe	96
PID 4388 wrote to memory of 3348	4388	Cnkkjh32.exe	96
PID 3348 wrote to memory of 3940	3348	Cdecgbfa.exe	97
PID 3348 wrote to memory of 3940	3348	Cdecgbfa.exe	97
PID 3348 wrote to memory of 3940	3348	Cdecgbfa.exe	97
PID 3940 wrote to memory of 928	3940	Dkokcl32.exe	98
PID 3940 wrote to memory of 928	3940	Dkokcl32.exe	98
PID 3940 wrote to memory of 928	3940	Dkokcl32.exe	98
PID 928 wrote to memory of 4904	928	Dokgdkeh.exe	99
PID 928 wrote to memory of 4904	928	Dokgdkeh.exe	99
PID 928 wrote to memory of 4904	928	Dokgdkeh.exe	99
PID 4904 wrote to memory of 2052	4904	Dbicpfdk.exe	100
PID 4904 wrote to memory of 2052	4904	Dbicpfdk.exe	100
PID 4904 wrote to memory of 2052	4904	Dbicpfdk.exe	100
PID 2052 wrote to memory of 3476	2052	Ddgplado.exe	101
PID 2052 wrote to memory of 3476	2052	Ddgplado.exe	101
PID 2052 wrote to memory of 3476	2052	Ddgplado.exe	101
PID 3476 wrote to memory of 848	3476	Dmohno32.exe	102
PID 3476 wrote to memory of 848	3476	Dmohno32.exe	102
PID 3476 wrote to memory of 848	3476	Dmohno32.exe	102
PID 848 wrote to memory of 4192	848	Domdjj32.exe	103
PID 848 wrote to memory of 4192	848	Domdjj32.exe	103
PID 848 wrote to memory of 4192	848	Domdjj32.exe	103
PID 4192 wrote to memory of 4392	4192	Dbkqfe32.exe	104
PID 4192 wrote to memory of 4392	4192	Dbkqfe32.exe	104
PID 4192 wrote to memory of 4392	4192	Dbkqfe32.exe	104
PID 4392 wrote to memory of 1996	4392	Ddjmba32.exe	105
PID 4392 wrote to memory of 1996	4392	Ddjmba32.exe	105
PID 4392 wrote to memory of 1996	4392	Ddjmba32.exe	105
PID 1996 wrote to memory of 4816	1996	Dheibpje.exe	106
PID 1996 wrote to memory of 4816	1996	Dheibpje.exe	106
PID 1996 wrote to memory of 4816	1996	Dheibpje.exe	106
PID 4712 wrote to memory of 2308	4712	DoomRat.exe	107
PID 4712 wrote to memory of 2308	4712	DoomRat.exe	107
PID 4712 wrote to memory of 2308	4712	DoomRat.exe	107
PID 4816 wrote to memory of 4760	4816	Dooaoj32.exe	108
PID 4816 wrote to memory of 4760	4816	Dooaoj32.exe	108
PID 4816 wrote to memory of 4760	4816	Dooaoj32.exe	108
PID 2308 wrote to memory of 1828	2308	240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe	109
PID 2308 wrote to memory of 1828	2308	240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe	109
PID 2308 wrote to memory of 1828	2308	240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe	109
PID 4760 wrote to memory of 1640	4760	Dbnmke32.exe	110
PID 4760 wrote to memory of 1640	4760	Dbnmke32.exe	110
PID 4760 wrote to memory of 1640	4760	Dbnmke32.exe	110
PID 1828 wrote to memory of 5156	1828	Dfiildio.exe	111
PID 1828 wrote to memory of 5156	1828	Dfiildio.exe	111
PID 1828 wrote to memory of 5156	1828	Dfiildio.exe	111

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mcoepkdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:808
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:15852
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2180
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3764
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3880
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3948
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4036
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4228
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:5096
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4936
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:2140
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3308
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2228
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2296
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2424
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1912
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:8904
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:9792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1516
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3288

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\DoomRat.exe
  "C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\DoomRat.exe
    "C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4084
  - - C:\Users\Admin\Downloads\240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
      C:\Users\Admin\Downloads\240920-qdstssybnjb8316d13f4047be963430f6d24c6a18db4eb50f13a0296c5f209026a1e238debN.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        19⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        20⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5424
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        24⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        27⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        28⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        29⤵
        Executes dropped EXE
        
        PID:5520
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        31⤵
        Executes dropped EXE
        
        PID:6872
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        32⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        35⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        36⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        37⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        38⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        39⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        40⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7376
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:7916
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:8468
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        45⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9148
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        47⤵
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        48⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8424
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        51⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9032
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9396
  - - C:\Users\Admin\Downloads\240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qe4bxsxgqheda88f7ae36ded31fec80c7aa05b8f4e_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Users\Admin\Downloads\240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe
      C:\Users\Admin\Downloads\240920-qc213sybjp1bf037c1accbaa974cd7652e900bdb53fd1dc7f052082e3562dc109c978c2694N.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        6⤵
        Executes dropped EXE
        
        PID:5156
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        9⤵
        Executes dropped EXE
        
        PID:5460
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        10⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        11⤵
        Executes dropped EXE
        
        PID:5668
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        18⤵
        Executes dropped EXE
        
        PID:6924
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        20⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        21⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7668
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        23⤵
        Drops file in System32 directory
        
        PID:7872
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8104
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        25⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        26⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        29⤵
        Drops file in System32 directory
        
        PID:7972
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        30⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        31⤵
        Modifies registry class
        
        PID:8508
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        32⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        33⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        34⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        35⤵
        Drops file in System32 directory
        
        PID:8064
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8528
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        37⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        38⤵
        Modifies registry class
        
        PID:8556
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        39⤵
        
        PID:8728
  - - C:\Users\Admin\Downloads\240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p3672sxerqeda10913cdc60c352847611bd3db5ee6_JaffaCakes118.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:5212
    - - C:\Windows\SysWOW64\dqwatkcv.exe
        
        C:\Windows\system32\dqwatkcv.exe
        5⤵
        Adds Run key to start application
        
        PID:4500
      - C:\Windows\SysWOW64\uvtsfubf.exe
        
        C:\Windows\system32\uvtsfubf.exe
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9232
        
        C:\Windows\SysWOW64\izidzguv.exe
        
        C:\Windows\system32\izidzguv.exe
        7⤵
        Adds Run key to start application
        
        PID:9908
        
        C:\Windows\SysWOW64\nngkmlg.exe
        
        C:\Windows\system32\nngkmlg.exe
        8⤵
        Adds Run key to start application
        
        PID:8980
        
        C:\Windows\SysWOW64\ucyhp.exe
        
        C:\Windows\system32\ucyhp.exe
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9644
        
        C:\Windows\SysWOW64\edjzi.exe
        
        C:\Windows\system32\edjzi.exe
        10⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Windows\SysWOW64\oaoht.exe
        
        C:\Windows\system32\oaoht.exe
        11⤵
        Adds Run key to start application
        
        PID:8316
        
        C:\Windows\SysWOW64\cnpxlft.exe
        
        C:\Windows\system32\cnpxlft.exe
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9240
        
        C:\Windows\SysWOW64\rdgpo.exe
        
        C:\Windows\system32\rdgpo.exe
        13⤵
        Adds Run key to start application
        
        PID:4396
        
        C:\Windows\SysWOW64\xckuetd.exe
        
        C:\Windows\system32\xckuetd.exe
        14⤵
        Adds Run key to start application
        
        PID:5796
        
        C:\Windows\SysWOW64\jfpxnb.exe
        
        C:\Windows\system32\jfpxnb.exe
        15⤵
        Adds Run key to start application
        
        PID:10872
        
        C:\Windows\SysWOW64\guajncc.exe
        
        C:\Windows\system32\guajncc.exe
        16⤵
        Adds Run key to start application
        
        PID:9124
        
        C:\Windows\SysWOW64\dkjmqb.exe
        
        C:\Windows\system32\dkjmqb.exe
        17⤵
        
        PID:2772
  - - C:\Users\Admin\Downloads\240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:5296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "Copy "C:\Users\Admin\Downloads\240920-qbdxvsyamkeda623985a926abdb5f84a94f8dcb9d3_JaffaCakes118.exe" %Windir%\system32\MsCM32.exe"
        5⤵
        
        PID:7108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6088
  - - C:\Users\Admin\Downloads\240920-qlm9aayenjfile.exe
      C:\Users\Admin\Downloads\240920-qlm9aayenjfile.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5680
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Modifies system certificate store
        
        PID:6784
  - - C:\Users\Admin\Downloads\240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
      C:\Users\Admin\Downloads\240920-pz8xgaxard748abec6e830ce1f112c7f0c0d3c56c6e418e39423ac8c234a69f5afe1da9642N.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      System policy modification
      PID:5768
    - - C:\Windows\services.exe
        
        "C:\Windows\services.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5916
  - - C:\Users\Admin\Downloads\240920-ptnz4swgnfBackdoor.Win32.Berbew.AA.MTB-0eee6dad188b5809a34976a1d88a54a8e44afeb52737c4caccea135cc3caf3d3N
      C:\Users\Admin\Downloads\240920-ptnz4swgnfBackdoor.Win32.Berbew.AA.MTB-0eee6dad188b5809a34976a1d88a54a8e44afeb52737c4caccea135cc3caf3d3N
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1124
    - - C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5416
      - C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        7⤵
        Executes dropped EXE
        
        PID:6816
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        8⤵
        Executes dropped EXE
        
        PID:7092
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        9⤵
        Executes dropped EXE
        
        PID:6068
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        11⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        12⤵
        Drops file in System32 directory
        
        PID:7772
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        13⤵
        Drops file in System32 directory
        
        PID:7980
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        14⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        15⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        19⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        20⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        21⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        22⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        23⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7600
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        25⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        26⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        27⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        28⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        29⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9716
  - - C:\Users\Admin\Downloads\240920-p8sxlsxenbacfeb6c0b7ba5a352256acc7319c8d2aa817c3af3fcd68cc508b2977212e4d32N.exe
      C:\Users\Admin\Downloads\240920-p8sxlsxenbacfeb6c0b7ba5a352256acc7319c8d2aa817c3af3fcd68cc508b2977212e4d32N.exe
      4⤵
      Executes dropped EXE
      PID:6772
    - - C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:7036
      - C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        7⤵
        Executes dropped EXE
        
        PID:7216
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        8⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        9⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        10⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        11⤵
        Drops file in System32 directory
        
        PID:8140
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        12⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        13⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        14⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7472
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        16⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        17⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        18⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        19⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8896
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        20⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        22⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        23⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        24⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8464
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7716
  - - C:\Users\Admin\Downloads\240920-p8e1raxema6e8222906d72ba0b57d40bd15cda5be06e19c5ec185e37d09528ad058b2fce49N.exe
      C:\Users\Admin\Downloads\240920-p8e1raxema6e8222906d72ba0b57d40bd15cda5be06e19c5ec185e37d09528ad058b2fce49N.exe
      4⤵
      Executes dropped EXE
      PID:5956
    - - C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        5⤵
        Drops file in System32 directory
        
        PID:7248
      - C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        6⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        8⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        9⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        10⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        12⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        13⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        14⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        15⤵
        Drops file in System32 directory
        
        PID:8228
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        16⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8908
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        19⤵
        Drops file in System32 directory
        
        PID:7372
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        21⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        22⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        24⤵
        Drops file in System32 directory
        
        PID:7564
  - - C:\Users\Admin\Downloads\240920-qah57ayajke7717c828b13b71430d2936ef8b6da418b8c7a004e74d2e8f2dc0d1d7468932dN.exe
      C:\Users\Admin\Downloads\240920-qah57ayajke7717c828b13b71430d2936ef8b6da418b8c7a004e74d2e8f2dc0d1d7468932dN.exe
      4⤵
      PID:7804
    - - C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8032
      - C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        6⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        8⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        9⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        10⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        11⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        12⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        13⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        14⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        16⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        17⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        18⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        19⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        20⤵
        Modifies registry class
        
        PID:8796
  - - C:\Users\Admin\Downloads\240920-qde8psybljfad84387b1d210642cee885ee1f929a95340600a5f99f6d4489a4c07f7722b73N.exe
      C:\Users\Admin\Downloads\240920-qde8psybljfad84387b1d210642cee885ee1f929a95340600a5f99f6d4489a4c07f7722b73N.exe
      4⤵
      Modifies registry class
      PID:5176
    - - C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        5⤵
        
        PID:6548
      - C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        6⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        7⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7732
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        10⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        11⤵
        Modifies registry class
        
        PID:8692
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9040
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        13⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        14⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        15⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:8864
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8516
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8664
  - - C:\Users\Admin\Downloads\240920-qbf28axfmgc58396ee6fe28f6b6da46e965fead2154b8e51a6abb86ad73b68499a243cd048N.exe
      C:\Users\Admin\Downloads\240920-qbf28axfmgc58396ee6fe28f6b6da46e965fead2154b8e51a6abb86ad73b68499a243cd048N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies registry class
      PID:7148
    - - C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        5⤵
        Drops file in System32 directory
        
        PID:7256
      - C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        6⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        7⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8316
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8656
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        10⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4528
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        12⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        13⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        14⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        15⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        16⤵
        Modifies registry class
        
        PID:9064
  - - C:\Users\Admin\Downloads\240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qlf5zayblaedac99b8bf1d6b9965c0210decbf99fc_JaffaCakes118.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Checks computer location settings
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:7540
    - - C:\Users\Admin\puazui.exe
        
        "C:\Users\Admin\puazui.exe"
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:6472
  - - C:\Users\Admin\Downloads\240920-qkx24ayargedac41ffb727204b9ecfc2c75f919c5b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qkx24ayargedac41ffb727204b9ecfc2c75f919c5b_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:8240
  - - C:\Users\Admin\Downloads\240920-qgjqasycqkdcdfe0e34f08bb17bdde6d169cb251eef1fd37b2a6425e120ae13c555da54df1N.exe
      C:\Users\Admin\Downloads\240920-qgjqasycqkdcdfe0e34f08bb17bdde6d169cb251eef1fd37b2a6425e120ae13c555da54df1N.exe
      4⤵
      Modifies registry class
      PID:8924
    - - C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        5⤵
        
        PID:6988
      - C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        6⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        8⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8344
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        10⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        11⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        12⤵
        Modifies registry class
        
        PID:9684
  - - C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:6216
    - - C:\Users\Admin\YeAUkAQQ\eCIUkkwM.exe
        
        "C:\Users\Admin\YeAUkAQQ\eCIUkkwM.exe"
        5⤵
        Adds Run key to start application
        
        PID:7828
    - - C:\ProgramData\RkUUkEsg\wIEoUggg.exe
        
        "C:\ProgramData\RkUUkEsg\wIEoUggg.exe"
        5⤵
        Adds Run key to start application
        
        PID:8948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118"
        5⤵
        
        PID:7124
      - C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:9396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118"
        7⤵
        
        PID:6824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:7640
        
        C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118
        8⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118"
        9⤵
        
        PID:10028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:12264
        
        C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118
        10⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        
        PID:9072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:11664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMMcsEMc.bat" "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe""
        9⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskgcUEw.bat" "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe""
        7⤵
        
        PID:5788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:9444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:9324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:9332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcwQwsgc.bat" "C:\Users\Admin\Downloads\240920-ps8ccswgmaed9a0cbe136fb6ab59971cb92d0be0c3_JaffaCakes118.exe""
        5⤵
        
        PID:9348
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:9860
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4776
  - - C:\Users\Admin\Downloads\240920-p5tpqsxfqnbc3e318799303a80de34d04f7f6aa10789b1f255e79f3e943689048eae0e094c.exe
      C:\Users\Admin\Downloads\240920-p5tpqsxfqnbc3e318799303a80de34d04f7f6aa10789b1f255e79f3e943689048eae0e094c.exe
      4⤵
      PID:7328
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\Downloads\240920-p5tpqsxfqnbc3e318799303a80de34d04f7f6aa10789b1f255e79f3e943689048eae0e094c.exe" "240920-p5tpqsxfqnbc3e318799303a80de34d04f7f6aa10789b1f255e79f3e943689048eae0e094c.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8408
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:10468
  - - C:\Users\Admin\Downloads\240920-p85leaxhlpda25d12bc62aacc92f6db8fcd2dcb32d82ef836334a695a3989e60a0172e6eb9N.exe
      C:\Users\Admin\Downloads\240920-p85leaxhlpda25d12bc62aacc92f6db8fcd2dcb32d82ef836334a695a3989e60a0172e6eb9N.exe
      4⤵
      PID:5232
    - - \??\c:\pjjdv.exe
        
        c:\pjjdv.exe
        5⤵
        
        PID:8392
      - \??\c:\3jpjd.exe
        
        c:\3jpjd.exe
        6⤵
        
        PID:7456
        
        \??\c:\1flfllf.exe
        
        c:\1flfllf.exe
        7⤵
        
        PID:9284
        
        \??\c:\fxlfxrl.exe
        
        c:\fxlfxrl.exe
        8⤵
        
        PID:9924
        
        \??\c:\rllxrlf.exe
        
        c:\rllxrlf.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:10216
        
        \??\c:\pjdvp.exe
        
        c:\pjdvp.exe
        10⤵
        
        PID:6088
        
        \??\c:\vjvpp.exe
        
        c:\vjvpp.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9276
        
        \??\c:\nhhbtt.exe
        
        c:\nhhbtt.exe
        12⤵
        
        PID:9420
        
        \??\c:\jppjj.exe
        
        c:\jppjj.exe
        13⤵
        
        PID:9312
        
        \??\c:\bbnnhh.exe
        
        c:\bbnnhh.exe
        14⤵
        
        PID:6648
        
        \??\c:\hbhbbh.exe
        
        c:\hbhbbh.exe
        15⤵
        
        PID:9996
        
        \??\c:\fxfrrll.exe
        
        c:\fxfrrll.exe
        16⤵
        
        PID:6932
        
        \??\c:\lxxlfxr.exe
        
        c:\lxxlfxr.exe
        17⤵
        
        PID:8224
        
        \??\c:\7bthbt.exe
        
        c:\7bthbt.exe
        18⤵
        
        PID:5512
        
        \??\c:\1ppjv.exe
        
        c:\1ppjv.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:8404
        
        \??\c:\rflflll.exe
        
        c:\rflflll.exe
        20⤵
        
        PID:11568
        
        \??\c:\pjdvj.exe
        
        c:\pjdvj.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:10436
        
        \??\c:\1tbnbb.exe
        
        c:\1tbnbb.exe
        22⤵
        
        PID:8528
        
        \??\c:\rrflrff.exe
        
        c:\rrflrff.exe
        23⤵
        
        PID:12088
        
        \??\c:\nhhbbt.exe
        
        c:\nhhbbt.exe
        24⤵
        
        PID:10780
        
        \??\c:\llxrrll.exe
        
        c:\llxrrll.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:7916
        
        \??\c:\5lfxrlf.exe
        
        c:\5lfxrlf.exe
        26⤵
        
        PID:704
        
        \??\c:\btnhtb.exe
        
        c:\btnhtb.exe
        27⤵
        
        PID:12712
        
        \??\c:\fllflfr.exe
        
        c:\fllflfr.exe
        28⤵
        
        PID:12740
        
        \??\c:\9tbtbb.exe
        
        c:\9tbtbb.exe
        29⤵
        
        PID:6564
        
        \??\c:\lxxxrrr.exe
        
        c:\lxxxrrr.exe
        30⤵
        
        PID:15972
        
        \??\c:\7ttnnn.exe
        
        c:\7ttnnn.exe
        31⤵
        
        PID:12820
        
        \??\c:\bttnhb.exe
        
        c:\bttnhb.exe
        32⤵
        
        PID:9880
        
        \??\c:\nnhbnb.exe
        
        c:\nnhbnb.exe
        33⤵
        
        PID:7296
        
        \??\c:\bhhbbb.exe
        
        c:\bhhbbb.exe
        34⤵
        
        PID:6616
        
        \??\c:\rlrlrlr.exe
        
        c:\rlrlrlr.exe
        35⤵
        
        PID:12732
  - - C:\Users\Admin\Downloads\240920-qltq3ayenq061645157812ff9d6fa0f18fac137727bb7d61779020748613a2fd855af42d2eN.exe
      C:\Users\Admin\Downloads\240920-qltq3ayenq061645157812ff9d6fa0f18fac137727bb7d61779020748613a2fd855af42d2eN.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6192
    - - C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        5⤵
        
        PID:5740
      - C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        6⤵
        Modifies registry class
        
        PID:7240
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        7⤵
        
        PID:9740
  - - C:\Users\Admin\Downloads\240920-qaah2sxhrk8ccc5a9f3ea214983ba2418b8fb4b4d333279caaf8c95703687bda36accdbe4aN.exe
      C:\Users\Admin\Downloads\240920-qaah2sxhrk8ccc5a9f3ea214983ba2418b8fb4b4d333279caaf8c95703687bda36accdbe4aN.exe
      4⤵
      Drops file in System32 directory
      PID:9252
    - - C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10104
      - C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8416
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        7⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        8⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8572
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        10⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        11⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        12⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        13⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        14⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        15⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        16⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11596
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        18⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        19⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10100
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        21⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        22⤵
        Modifies registry class
        
        PID:10312
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        23⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        24⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Windows security modification
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:9420
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        25⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        26⤵
        Drops file in System32 directory
        
        PID:12704
        
        C:\Windows\SysWOW64\Ljkghi32.exe
        
        C:\Windows\system32\Ljkghi32.exe
        27⤵
        
        PID:12892
  - - C:\Users\Admin\Downloads\240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p15lfaxbmbed9f7a7c302a2f6481b205dd67dccd97_JaffaCakes118.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:9600
    - - C:\Windows\userinit.exe
        
        C:\Windows\userinit.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:8308
      - C:\Windows\SysWOW64\Regsvr32.exe
        
        Regsvr32 C:\Windows\system32\MSWINSCK.OCX /s
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 596
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:8856
  - - C:\Users\Admin\Downloads\240920-p6lqhsxdnd53f8316c266964d6539b5a4f55c50e8953f3bdeb507223d8966fb3a7725ae81fN.exe
      C:\Users\Admin\Downloads\240920-p6lqhsxdnd53f8316c266964d6539b5a4f55c50e8953f3bdeb507223d8966fb3a7725ae81fN.exe
      4⤵
      PID:9808
    - - C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        5⤵
        
        PID:10160
      - C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        6⤵
        
        PID:6604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\240920-qjjs3sydnnmain.bat
      4⤵
      PID:10068
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:11836
  - - C:\Users\Admin\Downloads\240920-qgw1maycrqe928b15b158375e01d37293b637902e55acbaea06a679b1b1e9eb3eae9838808.exe
      C:\Users\Admin\Downloads\240920-qgw1maycrqe928b15b158375e01d37293b637902e55acbaea06a679b1b1e9eb3eae9838808.exe
      4⤵
      PID:8272
  - - C:\Users\Admin\Downloads\240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
      C:\Users\Admin\Downloads\240920-ps5w8swgle8a67a0f46624f85d6a2b135f42dd988def5cf8f795bb8e6b3e80a5a7e011323dN.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:8004
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:8096
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10116
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8340
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8164
  - - C:\Users\Admin\Downloads\240920-qb1fvsxfped43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795N.exe
      C:\Users\Admin\Downloads\240920-qb1fvsxfped43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795N.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Adds Run key to start application
      PID:8760
    - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6904
  - - C:\Users\Admin\Downloads\240920-prhqbawfnged987470d312b0ad62b6eabcd751b00b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-prhqbawfnged987470d312b0ad62b6eabcd751b00b_JaffaCakes118.exe
      4⤵
      Loads dropped DLL
      Suspicious use of UnmapMainImage
      PID:9196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9196 -s 356
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:8652
  - - C:\Users\Admin\Downloads\240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      PID:9820
    - - C:\Users\Admin\Downloads\240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe
        
        "C:\Users\Admin\Downloads\240920-py23jaxamfed9dfdb924afd27029597dfba8e35903_JaffaCakes118.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:9320
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:11624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11004
  - - C:\Users\Admin\Downloads\240920-p9yjgsxhqj25bafa2018b75ef616c76f48fe87aa33fd2b2afb9a1bc8923fbe92af82beb12eN.exe
      C:\Users\Admin\Downloads\240920-p9yjgsxhqj25bafa2018b75ef616c76f48fe87aa33fd2b2afb9a1bc8923fbe92af82beb12eN.exe
      4⤵
      Loads dropped DLL
      Suspicious use of UnmapMainImage
      PID:9180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9180 -s 264
        5⤵
        Program crash
        
        PID:10216
  - - C:\Users\Admin\Downloads\240920-p4dl5axcmgeda1561b1b5f564349a7d3a8fb23117a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p4dl5axcmgeda1561b1b5f564349a7d3a8fb23117a_JaffaCakes118.exe
      4⤵
      PID:9008
    - - C:\Windows\SysWOW64\rtmcodecs\iexpress.exe
        
        "C:\Windows\SysWOW64\rtmcodecs\iexpress.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:11652
  - - C:\Users\Admin\Downloads\240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
      C:\Users\Admin\Downloads\240920-p9c8jsxhmp83bb58afe492a38d7eb9fee0543696ce0844c89b70eb5faee87f76218c21b717N.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:7300
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8784
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        
        PID:10420
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        
        PID:11184
  - - C:\Users\Admin\Downloads\240920-p9w1naxhpqeda52dc5ca55d40d087dbac5aba60e07_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p9w1naxhpqeda52dc5ca55d40d087dbac5aba60e07_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:7484
  - - C:\Users\Admin\Downloads\240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
      C:\Users\Admin\Downloads\240920-pye8rsxcrrf696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:768
  - - C:\Users\Admin\Downloads\240920-qeqqtsybrqfb603adcb40e71e06f1114e301aebb78be904818dff545a9c8158453057b0aa2N.exe
      C:\Users\Admin\Downloads\240920-qeqqtsybrqfb603adcb40e71e06f1114e301aebb78be904818dff545a9c8158453057b0aa2N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:10024
    - - C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        5⤵
        
        PID:9460
      - C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10652
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        7⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12076
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        9⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        11⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:444
  - - C:\Users\Admin\Downloads\240920-pwhacawhmaed9ba968cf6a93ebba90300b0b2612c8_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pwhacawhmaed9ba968cf6a93ebba90300b0b2612c8_JaffaCakes118.exe
      4⤵
      PID:10748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10748 -s 324
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:11740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10748 -s 404
        5⤵
        Program crash
        
        PID:16152
  - - C:\Users\Admin\Downloads\240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pwx1ssxckped9c0c1b20b1873ca8c8fbf5be3036f6_JaffaCakes118.exe
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:11076
  - - C:\Users\Admin\Downloads\240920-pskajaxapp52271c0a322dc8086b4773cada12947eef8b84ba166ca4be515f021523217e59N.exe
      C:\Users\Admin\Downloads\240920-pskajaxapp52271c0a322dc8086b4773cada12947eef8b84ba166ca4be515f021523217e59N.exe
      4⤵
      PID:11116
    - - C:\Users\Admin\Downloads\240920-pskajaxapp52271c0a322dc8086b4773cada12947eef8b84ba166ca4be515f021523217e59N.exe
        
        C:\Users\Admin\Downloads\240920-pskajaxapp52271c0a322dc8086b4773cada12947eef8b84ba166ca4be515f021523217e59N.exe -deleter
        5⤵
        
        PID:9076
  - - C:\Users\Admin\Downloads\240920-pznxasxdmk384601ce9d5b15f2fc46f59ad2ea668675787b217565bc141291233190c25390N.exe
      C:\Users\Admin\Downloads\240920-pznxasxdmk384601ce9d5b15f2fc46f59ad2ea668675787b217565bc141291233190c25390N.exe
      4⤵
      Loads dropped DLL
      PID:11128
  - - C:\Users\Admin\Downloads\240920-pzadxaxanced9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pzadxaxanced9e408758538897b98a27f61eecea9e_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:11140
  - - C:\Users\Admin\Downloads\240920-p9hg9sxeqd0669979483ebee857ec43749e104d092f79049a7167639d47a3431120485a1e4N.exe
      C:\Users\Admin\Downloads\240920-p9hg9sxeqd0669979483ebee857ec43749e104d092f79049a7167639d47a3431120485a1e4N.exe
      4⤵
      Modifies registry class
      PID:11148
    - - C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10676
  - - C:\Users\Admin\Downloads\240920-qkbtvsyaqe944a7ea18b7fcb516eb1ff84ec98faad31719c9bbe530e55a9dfa4028c3f0cbbN.exe
      C:\Users\Admin\Downloads\240920-qkbtvsyaqe944a7ea18b7fcb516eb1ff84ec98faad31719c9bbe530e55a9dfa4028c3f0cbbN.exe
      4⤵
      PID:11156
    - - C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        5⤵
        Modifies registry class
        
        PID:12184
      - C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10064 -s 384
        7⤵
        Program crash
        
        PID:12572
  - - C:\Users\Admin\Downloads\240920-p7xt6sxgqmeda3c8802aa54cb0c5b574604a256cea_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p7xt6sxgqmeda3c8802aa54cb0c5b574604a256cea_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:11164
  - - C:\Users\Admin\Downloads\240920-p5hx8sxfnr687685909ef3d3d14d6f42e3517fb6189f7dfc5eac66b5c3c3beb65b0389ca90N.exe
      C:\Users\Admin\Downloads\240920-p5hx8sxfnr687685909ef3d3d14d6f42e3517fb6189f7dfc5eac66b5c3c3beb65b0389ca90N.exe
      4⤵
      PID:11172
    - - C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        5⤵
        
        PID:10976
      - C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        6⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        7⤵
        Drops file in System32 directory
        
        PID:10492
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        8⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        9⤵
        
        PID:8140
  - - C:\Users\Admin\Downloads\240920-ptf99sxbjkfile.exe
      C:\Users\Admin\Downloads\240920-ptf99sxbjkfile.exe
      4⤵
      PID:11180
  - - C:\Users\Admin\Downloads\240920-p959bsxfjb903caacf0bb4fd8772804bfa32faba64a3b668c3ed32e7b607943a54d33a6c37N.exe
      C:\Users\Admin\Downloads\240920-p959bsxfjb903caacf0bb4fd8772804bfa32faba64a3b668c3ed32e7b607943a54d33a6c37N.exe
      4⤵
      PID:11200
    - - C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        5⤵
        
        PID:11332
      - C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        6⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        7⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        8⤵
        
        PID:12160
  - - C:\Users\Admin\Downloads\240920-p9xl7axerdeda52ff7d3c9a15af9c7132ff50ed923_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p9xl7axerdeda52ff7d3c9a15af9c7132ff50ed923_JaffaCakes118.exe
      4⤵
      PID:11208
  - - C:\Users\Admin\Downloads\240920-p9zrjsxergeda53b48466d7a6c47d8e822caeb9b5f_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p9zrjsxergeda53b48466d7a6c47d8e822caeb9b5f_JaffaCakes118.exe
      4⤵
      PID:11216
  - - C:\Users\Admin\Downloads\240920-qbdxvsyaml8abbdef95beac2aec293a8b8f0feedcf8941466fd2a6171e7c2d1f44d3a07019N.exe
      C:\Users\Admin\Downloads\240920-qbdxvsyaml8abbdef95beac2aec293a8b8f0feedcf8941466fd2a6171e7c2d1f44d3a07019N.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:11224
  - - C:\Users\Admin\Downloads\240920-p9x8qaxereeda53730e142fc1d1d24f231edc2d306_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p9x8qaxereeda53730e142fc1d1d24f231edc2d306_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:11232
  - - C:\Users\Admin\Downloads\240920-qa2brsyalk18c262c08dce6a59267af49ac575ddd996ebd7b1d8bcfb31cff9f9f9814cfd91.exe
      C:\Users\Admin\Downloads\240920-qa2brsyalk18c262c08dce6a59267af49ac575ddd996ebd7b1d8bcfb31cff9f9f9814cfd91.exe
      4⤵
      PID:11244
  - - C:\Users\Admin\Downloads\240920-px53ssxajf4aa22b1a9231b6ca5a59bef2b6fac78427b2b4ee4423310b6a916344900095b2N.exe
      C:\Users\Admin\Downloads\240920-px53ssxajf4aa22b1a9231b6ca5a59bef2b6fac78427b2b4ee4423310b6a916344900095b2N.exe
      4⤵
      Drops file in System32 directory
      PID:11256
    - - C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        5⤵
        
        PID:11456
      - C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        6⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12688
        
        C:\Windows\SysWOW64\Lmnlpcel.exe
        
        C:\Windows\system32\Lmnlpcel.exe
        8⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\Gpgnjebd.exe
        
        C:\Windows\system32\Gpgnjebd.exe
        9⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        10⤵
        
        PID:15904
        
        C:\Windows\SysWOW64\Ihjafd32.exe
        
        C:\Windows\system32\Ihjafd32.exe
        11⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\Jjhjae32.exe
        
        C:\Windows\system32\Jjhjae32.exe
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:15112
        
        C:\Windows\SysWOW64\Kppbejka.exe
        
        C:\Windows\system32\Kppbejka.exe
        13⤵
        Drops file in System32 directory
        
        PID:11108
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        14⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        15⤵
        
        PID:16208
  - - C:\Users\Admin\Downloads\240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:7932
    - - C:\Users\Admin\Downloads\240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240920-pxtprsxcpjed9cb2f3d3da05fc5ed9db498376aba6_JaffaCakes118.exe
        5⤵
        Modifies WinLogon for persistence
        Impair Defenses: Safe Mode Boot
        Modifies WinLogon
        
        PID:7788
  - - C:\Users\Admin\Downloads\240920-qjpdkayanbedab501b5733193424402503aaf4ee27_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qjpdkayanbedab501b5733193424402503aaf4ee27_JaffaCakes118.exe
      4⤵
      PID:7936
  - - C:\Users\Admin\Downloads\240920-psckpaxapjed99228a19cead91bf9c52062803d509_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-psckpaxapjed99228a19cead91bf9c52062803d509_JaffaCakes118.exe
      4⤵
      PID:6248
  - - C:\Users\Admin\Downloads\240920-qbm6jayankeda64880f77ed2226cf9dd5cf314ae4e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qbm6jayankeda64880f77ed2226cf9dd5cf314ae4e_JaffaCakes118.exe
      4⤵
      Adds Run key to start application
      PID:5568
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        5⤵
        Adds Run key to start application
        
        PID:6336
  - - C:\Users\Admin\Downloads\240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Modifies Internet Explorer settings
      PID:8464
    - - C:\Users\Admin\Downloads\240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240920-qhjrpaxhrfedaa5ce0c0563665aacf51270300cd72_JaffaCakes118.exe
        5⤵
        Modifies Internet Explorer start page
        Modifies registry class
        
        PID:10744
  - - C:\Users\Admin\Downloads\240920-p2l6gsxekmed9ff149f56b2740d186e53182369530_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p2l6gsxekmed9ff149f56b2740d186e53182369530_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:8996
  - - C:\Users\Admin\Downloads\240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe
      C:\Users\Admin\Downloads\240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe
      4⤵
      Suspicious use of SetThreadContext
      PID:3812
    - - C:\Users\Admin\Downloads\240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe
        
        "C:\Users\Admin\Downloads\240920-ptqtpswgpa43d30cb9d423e7cb712c63bbf1ab9ef621ce3f9d9ec2d03fadd7a87f144227aaN.exe"
        5⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1408
      - C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\syswow64\msiexec.exe
        6⤵
        Adds policy Run key to start application
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:9172
  - - C:\Users\Admin\Downloads\240920-qd47tsxgnb551069183cfa0c7842141924b36938e2469b84b74e63b6ae4b078240c91e273eN.exe
      C:\Users\Admin\Downloads\240920-qd47tsxgnb551069183cfa0c7842141924b36938e2469b84b74e63b6ae4b078240c91e273eN.exe
      4⤵
      PID:7608
  - - C:\Users\Admin\Downloads\240920-p4d8naxcnaMonsterHunterWorldv20200109-v20231017Plus67Trainer.exe
      C:\Users\Admin\Downloads\240920-p4d8naxcnaMonsterHunterWorldv20200109-v20231017Plus67Trainer.exe
      4⤵
      PID:8204
  - - C:\Users\Admin\Downloads\240920-qdvndsxgmed7f287f64be25e712ef14f64de6802ef3b1dbcb251e9fce4e26171193ca525c4N.exe
      C:\Users\Admin\Downloads\240920-qdvndsxgmed7f287f64be25e712ef14f64de6802ef3b1dbcb251e9fce4e26171193ca525c4N.exe
      4⤵
      Modifies registry class
      PID:5200
    - - C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        5⤵
        
        PID:11976
  - - C:\Users\Admin\Downloads\240920-p96j4axhrjeda564fac46137aaedb49314112a83b0_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p96j4axhrjeda564fac46137aaedb49314112a83b0_JaffaCakes118.exe
      4⤵
      PID:9920
    - - C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12060
      - C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        6⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        8⤵
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        9⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:12656
        
        C:\Windows\SysWOW64\wininet.exe
        
        C:\Windows\system32\wininet.exe
        11⤵
        
        PID:13184
  - - C:\Users\Admin\Downloads\240920-qgxbdsydjja02e4d5b4125aab036d9223b3fb522ee377e3e68b376aa01285c25446928a491N.exe
      C:\Users\Admin\Downloads\240920-qgxbdsydjja02e4d5b4125aab036d9223b3fb522ee377e3e68b376aa01285c25446928a491N.exe
      4⤵
      Modifies registry class
      PID:9328
  - - C:\Users\Admin\Downloads\240920-p7h11sxgpkeda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p7h11sxgpkeda384b6c7545da8e449b2778b94a289_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:9680
  - - C:\Users\Admin\Downloads\240920-p8p6qaxhjreda44d9dd372786b7c8c9710442a294a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p8p6qaxhjreda44d9dd372786b7c8c9710442a294a_JaffaCakes118.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:9732
  - - C:\Users\Admin\Downloads\240920-pyd1psxakced9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pyd1psxakced9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
      4⤵
      Checks computer location settings
      PID:7708
    - - C:\Users\Admin\AppData\Roaming\VIP72.exe
        
        "C:\Users\Admin\AppData\Roaming\VIP72.exe"
        5⤵
        
        PID:5732
  - - C:\Users\Admin\Downloads\240920-p1cknaxdpm1fc10f9b2761624cc2fe649f39a53c6ffb5ead322076161e136b4ccf6ea3a465N.exe
      C:\Users\Admin\Downloads\240920-p1cknaxdpm1fc10f9b2761624cc2fe649f39a53c6ffb5ead322076161e136b4ccf6ea3a465N.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:9512
    - - C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12236
      - C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        6⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9808
  - - C:\Users\Admin\Downloads\240920-p1gjlsxbjced9f12cb634ff080966701991f82d110_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p1gjlsxbjced9f12cb634ff080966701991f82d110_JaffaCakes118.exe
      4⤵
      PID:11528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11528 -s 264
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:11356
  - - C:\Users\Admin\Downloads\240920-pr5vvaxann96aef263cf8b4f89c56a0dc5e7fdf5461d161dec09c32b96779d42184554e437N.exe
      C:\Users\Admin\Downloads\240920-pr5vvaxann96aef263cf8b4f89c56a0dc5e7fdf5461d161dec09c32b96779d42184554e437N.exe
      4⤵
      PID:7272
    - - C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9664
      - C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9636
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8912
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        8⤵
        Drops file in System32 directory
        
        PID:6840
  - - C:\Users\Admin\Downloads\240920-qckrssxfreeda6e58af1b4b78c707d1f94684d0d88_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qckrssxfreeda6e58af1b4b78c707d1f94684d0d88_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:8688
  - - C:\Users\Admin\Downloads\240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
      C:\Users\Admin\Downloads\240920-qfbcjaxgrg286e6df60573977f1dae2c35a803455fc521e04f862de7d40dfc772a2b0816faN.exe
      4⤵
      Drops file in Windows directory
      PID:6884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5744
    - - C:\Windows\System\fRHTEZs.exe
        
        C:\Windows\System\fRHTEZs.exe
        5⤵
        
        PID:8424
    - - C:\Windows\System\jAsKnjm.exe
        
        C:\Windows\System\jAsKnjm.exe
        5⤵
        
        PID:6088
    - - C:\Windows\System\HYHqzza.exe
        
        C:\Windows\System\HYHqzza.exe
        5⤵
        
        PID:6024
    - - C:\Windows\System\kbbvZRw.exe
        
        C:\Windows\System\kbbvZRw.exe
        5⤵
        
        PID:9032
    - - C:\Windows\System\wTICywh.exe
        
        C:\Windows\System\wTICywh.exe
        5⤵
        
        PID:9448
    - - C:\Windows\System\luOYHUU.exe
        
        C:\Windows\System\luOYHUU.exe
        5⤵
        
        PID:5576
    - - C:\Windows\System\AsHHhxt.exe
        
        C:\Windows\System\AsHHhxt.exe
        5⤵
        
        PID:7776
    - - C:\Windows\System\DcnGVPf.exe
        
        C:\Windows\System\DcnGVPf.exe
        5⤵
        
        PID:5232
    - - C:\Windows\System\FtkBpQa.exe
        
        C:\Windows\System\FtkBpQa.exe
        5⤵
        
        PID:11896
    - - C:\Windows\System\QVoEWYs.exe
        
        C:\Windows\System\QVoEWYs.exe
        5⤵
        
        PID:11960
    - - C:\Windows\System\kKeXTeC.exe
        
        C:\Windows\System\kKeXTeC.exe
        5⤵
        
        PID:11552
    - - C:\Windows\System\NZgvocL.exe
        
        C:\Windows\System\NZgvocL.exe
        5⤵
        
        PID:12100
    - - C:\Windows\System\VxDAZdP.exe
        
        C:\Windows\System\VxDAZdP.exe
        5⤵
        
        PID:12124
    - - C:\Windows\System\mMaSVXY.exe
        
        C:\Windows\System\mMaSVXY.exe
        5⤵
        
        PID:12204
    - - C:\Windows\System\hFPIJMz.exe
        
        C:\Windows\System\hFPIJMz.exe
        5⤵
        
        PID:11984
    - - C:\Windows\System\ckJIXRj.exe
        
        C:\Windows\System\ckJIXRj.exe
        5⤵
        
        PID:6096
    - - C:\Windows\System\zEUgRAF.exe
        
        C:\Windows\System\zEUgRAF.exe
        5⤵
        
        PID:10324
    - - C:\Windows\System\SraYAtu.exe
        
        C:\Windows\System\SraYAtu.exe
        5⤵
        
        PID:9268
    - - C:\Windows\System\IFFplrJ.exe
        
        C:\Windows\System\IFFplrJ.exe
        5⤵
        
        PID:9480
    - - C:\Windows\System\vEABIis.exe
        
        C:\Windows\System\vEABIis.exe
        5⤵
        
        PID:12132
    - - C:\Windows\System\DsmuBPk.exe
        
        C:\Windows\System\DsmuBPk.exe
        5⤵
        
        PID:12180
    - - C:\Windows\System\gMBWXsu.exe
        
        C:\Windows\System\gMBWXsu.exe
        5⤵
        
        PID:7876
    - - C:\Windows\System\KvXatus.exe
        
        C:\Windows\System\KvXatus.exe
        5⤵
        
        PID:8472
    - - C:\Windows\System\OpMIspl.exe
        
        C:\Windows\System\OpMIspl.exe
        5⤵
        
        PID:12032
    - - C:\Windows\System\RYanXXB.exe
        
        C:\Windows\System\RYanXXB.exe
        5⤵
        
        PID:12064
    - - C:\Windows\System\sBkGWMe.exe
        
        C:\Windows\System\sBkGWMe.exe
        5⤵
        
        PID:10780
    - - C:\Windows\System\qmfKttA.exe
        
        C:\Windows\System\qmfKttA.exe
        5⤵
        
        PID:12744
    - - C:\Windows\System\yeBgrcR.exe
        
        C:\Windows\System\yeBgrcR.exe
        5⤵
        
        PID:12760
    - - C:\Windows\System\fGuoXDf.exe
        
        C:\Windows\System\fGuoXDf.exe
        5⤵
        
        PID:12776
    - - C:\Windows\System\cTGNIQw.exe
        
        C:\Windows\System\cTGNIQw.exe
        5⤵
        
        PID:12792
    - - C:\Windows\System\ihHemiW.exe
        
        C:\Windows\System\ihHemiW.exe
        5⤵
        
        PID:12808
    - - C:\Windows\System\bEceqOU.exe
        
        C:\Windows\System\bEceqOU.exe
        5⤵
        
        PID:12824
    - - C:\Windows\System\tmqEgFH.exe
        
        C:\Windows\System\tmqEgFH.exe
        5⤵
        
        PID:12852
    - - C:\Windows\System\ahtIuGb.exe
        
        C:\Windows\System\ahtIuGb.exe
        5⤵
        
        PID:12876
    - - C:\Windows\System\zrBZxVY.exe
        
        C:\Windows\System\zrBZxVY.exe
        5⤵
        
        PID:12940
    - - C:\Windows\System\srptYcw.exe
        
        C:\Windows\System\srptYcw.exe
        5⤵
        
        PID:12956
    - - C:\Windows\System\XMsnIKa.exe
        
        C:\Windows\System\XMsnIKa.exe
        5⤵
        
        PID:12976
    - - C:\Windows\System\FfwWwss.exe
        
        C:\Windows\System\FfwWwss.exe
        5⤵
        
        PID:12992
    - - C:\Windows\System\LVtwGgx.exe
        
        C:\Windows\System\LVtwGgx.exe
        5⤵
        
        PID:13016
    - - C:\Windows\System\DpfeTNA.exe
        
        C:\Windows\System\DpfeTNA.exe
        5⤵
        
        PID:13032
    - - C:\Windows\System\AtPRnUs.exe
        
        C:\Windows\System\AtPRnUs.exe
        5⤵
        
        PID:13052
    - - C:\Windows\System\KOAoCrO.exe
        
        C:\Windows\System\KOAoCrO.exe
        5⤵
        
        PID:13068
    - - C:\Windows\System\zNpXPpa.exe
        
        C:\Windows\System\zNpXPpa.exe
        5⤵
        
        PID:13084
    - - C:\Windows\System\pjNTJIr.exe
        
        C:\Windows\System\pjNTJIr.exe
        5⤵
        
        PID:13108
    - - C:\Windows\System\HNtUimS.exe
        
        C:\Windows\System\HNtUimS.exe
        5⤵
        
        PID:13128
    - - C:\Windows\System\UElzOap.exe
        
        C:\Windows\System\UElzOap.exe
        5⤵
        
        PID:13144
    - - C:\Windows\System\SKIeLZE.exe
        
        C:\Windows\System\SKIeLZE.exe
        5⤵
        
        PID:13188
    - - C:\Windows\System\fzKdcQC.exe
        
        C:\Windows\System\fzKdcQC.exe
        5⤵
        
        PID:13208
    - - C:\Windows\System\cvDtnJJ.exe
        
        C:\Windows\System\cvDtnJJ.exe
        5⤵
        
        PID:13228
    - - C:\Windows\System\PhksVEv.exe
        
        C:\Windows\System\PhksVEv.exe
        5⤵
        
        PID:13244
    - - C:\Windows\System\YNubKWk.exe
        
        C:\Windows\System\YNubKWk.exe
        5⤵
        
        PID:13264
    - - C:\Windows\System\yyryODu.exe
        
        C:\Windows\System\yyryODu.exe
        5⤵
        
        PID:13280
    - - C:\Windows\System\KtuQnxj.exe
        
        C:\Windows\System\KtuQnxj.exe
        5⤵
        
        PID:13296
    - - C:\Windows\System\XnfqScs.exe
        
        C:\Windows\System\XnfqScs.exe
        5⤵
        
        PID:12420
    - - C:\Windows\System\ByMgzOw.exe
        
        C:\Windows\System\ByMgzOw.exe
        5⤵
        
        PID:2004
    - - C:\Windows\System\AeGmhfe.exe
        
        C:\Windows\System\AeGmhfe.exe
        5⤵
        
        PID:10252
    - - C:\Windows\System\roaOpLp.exe
        
        C:\Windows\System\roaOpLp.exe
        5⤵
        
        PID:10292
    - - C:\Windows\System\sRuOKyQ.exe
        
        C:\Windows\System\sRuOKyQ.exe
        5⤵
        
        PID:3164
    - - C:\Windows\System\PsdSEiR.exe
        
        C:\Windows\System\PsdSEiR.exe
        5⤵
        
        PID:8044
    - - C:\Windows\System\tBWofAQ.exe
        
        C:\Windows\System\tBWofAQ.exe
        5⤵
        
        PID:5560
    - - C:\Windows\System\oTKmTUb.exe
        
        C:\Windows\System\oTKmTUb.exe
        5⤵
        
        PID:8480
    - - C:\Windows\System\ipAzusq.exe
        
        C:\Windows\System\ipAzusq.exe
        5⤵
        
        PID:9028
    - - C:\Windows\System\ivXJCMG.exe
        
        C:\Windows\System\ivXJCMG.exe
        5⤵
        
        PID:11276
    - - C:\Windows\System\yPltAFB.exe
        
        C:\Windows\System\yPltAFB.exe
        5⤵
        
        PID:7664
    - - C:\Windows\System\NDaKKYT.exe
        
        C:\Windows\System\NDaKKYT.exe
        5⤵
        
        PID:12128
    - - C:\Windows\System\nEfPSeZ.exe
        
        C:\Windows\System\nEfPSeZ.exe
        5⤵
        
        PID:5644
    - - C:\Windows\System\JknRIVs.exe
        
        C:\Windows\System\JknRIVs.exe
        5⤵
        
        PID:7136
    - - C:\Windows\System\tiMahZs.exe
        
        C:\Windows\System\tiMahZs.exe
        5⤵
        
        PID:6028
    - - C:\Windows\System\Eahwbcr.exe
        
        C:\Windows\System\Eahwbcr.exe
        5⤵
        
        PID:6032
    - - C:\Windows\System\qJuzuOC.exe
        
        C:\Windows\System\qJuzuOC.exe
        5⤵
        
        PID:13340
    - - C:\Windows\System\jsfuQdN.exe
        
        C:\Windows\System\jsfuQdN.exe
        5⤵
        
        PID:13516
    - - C:\Windows\System\yZNpJtc.exe
        
        C:\Windows\System\yZNpJtc.exe
        5⤵
        
        PID:13532
    - - C:\Windows\System\hplTtMM.exe
        
        C:\Windows\System\hplTtMM.exe
        5⤵
        
        PID:13580
    - - C:\Windows\System\WuuGPIi.exe
        
        C:\Windows\System\WuuGPIi.exe
        5⤵
        
        PID:13596
    - - C:\Windows\System\yKQaQQf.exe
        
        C:\Windows\System\yKQaQQf.exe
        5⤵
        
        PID:13612
    - - C:\Windows\System\CBlhHCI.exe
        
        C:\Windows\System\CBlhHCI.exe
        5⤵
        
        PID:13636
    - - C:\Windows\System\kYwAeIb.exe
        
        C:\Windows\System\kYwAeIb.exe
        5⤵
        
        PID:13652
    - - C:\Windows\System\AFSsaRE.exe
        
        C:\Windows\System\AFSsaRE.exe
        5⤵
        
        PID:13676
    - - C:\Windows\System\TWQEsTh.exe
        
        C:\Windows\System\TWQEsTh.exe
        5⤵
        
        PID:13768
    - - C:\Windows\System\txuxNpt.exe
        
        C:\Windows\System\txuxNpt.exe
        5⤵
        
        PID:13784
    - - C:\Windows\System\ofxaKeh.exe
        
        C:\Windows\System\ofxaKeh.exe
        5⤵
        
        PID:13800
    - - C:\Windows\System\IuCirqs.exe
        
        C:\Windows\System\IuCirqs.exe
        5⤵
        
        PID:13824
    - - C:\Windows\System\zqaMzMX.exe
        
        C:\Windows\System\zqaMzMX.exe
        5⤵
        
        PID:13840
    - - C:\Windows\System\JadGlEc.exe
        
        C:\Windows\System\JadGlEc.exe
        5⤵
        
        PID:13884
    - - C:\Windows\System\NpMUFss.exe
        
        C:\Windows\System\NpMUFss.exe
        5⤵
        
        PID:13900
    - - C:\Windows\System\cwjtpoV.exe
        
        C:\Windows\System\cwjtpoV.exe
        5⤵
        
        PID:13916
    - - C:\Windows\System\oFmEAaD.exe
        
        C:\Windows\System\oFmEAaD.exe
        5⤵
        
        PID:13940
    - - C:\Windows\System\UFMwclE.exe
        
        C:\Windows\System\UFMwclE.exe
        5⤵
        
        PID:13956
    - - C:\Windows\System\FqitXcG.exe
        
        C:\Windows\System\FqitXcG.exe
        5⤵
        
        PID:13972
    - - C:\Windows\System\WKJyjju.exe
        
        C:\Windows\System\WKJyjju.exe
        5⤵
        
        PID:14000
    - - C:\Windows\System\fyIXKFF.exe
        
        C:\Windows\System\fyIXKFF.exe
        5⤵
        
        PID:14028
    - - C:\Windows\System\qwEKuiN.exe
        
        C:\Windows\System\qwEKuiN.exe
        5⤵
        
        PID:14052
    - - C:\Windows\System\xwuyLQn.exe
        
        C:\Windows\System\xwuyLQn.exe
        5⤵
        
        PID:14068
    - - C:\Windows\System\RCRHRqU.exe
        
        C:\Windows\System\RCRHRqU.exe
        5⤵
        
        PID:14096
    - - C:\Windows\System\XSoVQQi.exe
        
        C:\Windows\System\XSoVQQi.exe
        5⤵
        
        PID:14128
    - - C:\Windows\System\KeiDTjA.exe
        
        C:\Windows\System\KeiDTjA.exe
        5⤵
        
        PID:14152
    - - C:\Windows\System\uQrGFwE.exe
        
        C:\Windows\System\uQrGFwE.exe
        5⤵
        
        PID:14168
    - - C:\Windows\System\SNhGJHl.exe
        
        C:\Windows\System\SNhGJHl.exe
        5⤵
        
        PID:14184
    - - C:\Windows\System\cPnaKht.exe
        
        C:\Windows\System\cPnaKht.exe
        5⤵
        
        PID:14200
    - - C:\Windows\System\UxgxLVW.exe
        
        C:\Windows\System\UxgxLVW.exe
        5⤵
        
        PID:14216
    - - C:\Windows\System\iBhMQaC.exe
        
        C:\Windows\System\iBhMQaC.exe
        5⤵
        
        PID:14232
    - - C:\Windows\System\ZeNynGY.exe
        
        C:\Windows\System\ZeNynGY.exe
        5⤵
        
        PID:14252
    - - C:\Windows\System\DXlpHbt.exe
        
        C:\Windows\System\DXlpHbt.exe
        5⤵
        
        PID:14268
    - - C:\Windows\System\ayOywAT.exe
        
        C:\Windows\System\ayOywAT.exe
        5⤵
        
        PID:14284
    - - C:\Windows\System\YfoRNfW.exe
        
        C:\Windows\System\YfoRNfW.exe
        5⤵
        
        PID:14300
    - - C:\Windows\System\WimVCbk.exe
        
        C:\Windows\System\WimVCbk.exe
        5⤵
        
        PID:14316
    - - C:\Windows\System\qYbRPiB.exe
        
        C:\Windows\System\qYbRPiB.exe
        5⤵
        
        PID:12480
    - - C:\Windows\System\PBRPeod.exe
        
        C:\Windows\System\PBRPeod.exe
        5⤵
        
        PID:11940
    - - C:\Windows\System\SFkCkvi.exe
        
        C:\Windows\System\SFkCkvi.exe
        5⤵
        
        PID:10628
    - - C:\Windows\System\zehvEuB.exe
        
        C:\Windows\System\zehvEuB.exe
        5⤵
        
        PID:10684
    - - C:\Windows\System\MvSCCto.exe
        
        C:\Windows\System\MvSCCto.exe
        5⤵
        
        PID:10756
    - - C:\Windows\System\yinNmQO.exe
        
        C:\Windows\System\yinNmQO.exe
        5⤵
        
        PID:6476
    - - C:\Windows\System\HahLgfg.exe
        
        C:\Windows\System\HahLgfg.exe
        5⤵
        
        PID:1504
    - - C:\Windows\System\qkrPUnM.exe
        
        C:\Windows\System\qkrPUnM.exe
        5⤵
        
        PID:3140
    - - C:\Windows\System\CihXpxu.exe
        
        C:\Windows\System\CihXpxu.exe
        5⤵
        
        PID:1740
    - - C:\Windows\System\jzayXRp.exe
        
        C:\Windows\System\jzayXRp.exe
        5⤵
        
        PID:5848
    - - C:\Windows\System\WpsmuVk.exe
        
        C:\Windows\System\WpsmuVk.exe
        5⤵
        
        PID:1448
    - - C:\Windows\System\lyqwURq.exe
        
        C:\Windows\System\lyqwURq.exe
        5⤵
        
        PID:4604
    - - C:\Windows\System\cqDgoJH.exe
        
        C:\Windows\System\cqDgoJH.exe
        5⤵
        
        PID:3080
    - - C:\Windows\System\SvMzlcQ.exe
        
        C:\Windows\System\SvMzlcQ.exe
        5⤵
        
        PID:336
    - - C:\Windows\System\jgxaCCf.exe
        
        C:\Windows\System\jgxaCCf.exe
        5⤵
        
        PID:3212
    - - C:\Windows\System\YhYuSgi.exe
        
        C:\Windows\System\YhYuSgi.exe
        5⤵
        
        PID:2972
    - - C:\Windows\System\uLSKMaD.exe
        
        C:\Windows\System\uLSKMaD.exe
        5⤵
        
        PID:10048
    - - C:\Windows\System\uYAEAoF.exe
        
        C:\Windows\System\uYAEAoF.exe
        5⤵
        
        PID:12900
    - - C:\Windows\System\qOIdQzy.exe
        
        C:\Windows\System\qOIdQzy.exe
        5⤵
        
        PID:11072
    - - C:\Windows\System\JlyjBZN.exe
        
        C:\Windows\System\JlyjBZN.exe
        5⤵
        
        PID:7068
    - - C:\Windows\System\RFycEyA.exe
        
        C:\Windows\System\RFycEyA.exe
        5⤵
        
        PID:12276
    - - C:\Windows\System\XAMJwlK.exe
        
        C:\Windows\System\XAMJwlK.exe
        5⤵
        
        PID:6676
    - - C:\Windows\System\tpQpLDC.exe
        
        C:\Windows\System\tpQpLDC.exe
        5⤵
        
        PID:8740
    - - C:\Windows\System\itdueBv.exe
        
        C:\Windows\System\itdueBv.exe
        5⤵
        
        PID:9808
    - - C:\Windows\System\qEkfTZI.exe
        
        C:\Windows\System\qEkfTZI.exe
        5⤵
        
        PID:1276
    - - C:\Windows\System\owgdILh.exe
        
        C:\Windows\System\owgdILh.exe
        5⤵
        
        PID:10572
    - - C:\Windows\System\MWOgyzk.exe
        
        C:\Windows\System\MWOgyzk.exe
        5⤵
        
        PID:13024
    - - C:\Windows\System\hDJqNMb.exe
        
        C:\Windows\System\hDJqNMb.exe
        5⤵
        
        PID:3968
    - - C:\Windows\System\vEmMiul.exe
        
        C:\Windows\System\vEmMiul.exe
        5⤵
        
        PID:3020
    - - C:\Windows\System\JQnSbmv.exe
        
        C:\Windows\System\JQnSbmv.exe
        5⤵
        
        PID:13224
    - - C:\Windows\System\mFAyNVX.exe
        
        C:\Windows\System\mFAyNVX.exe
        5⤵
        
        PID:1420
    - - C:\Windows\System\MgoxxXu.exe
        
        C:\Windows\System\MgoxxXu.exe
        5⤵
        
        PID:2760
    - - C:\Windows\System\XHmDXRX.exe
        
        C:\Windows\System\XHmDXRX.exe
        5⤵
        
        PID:13304
    - - C:\Windows\System\wEkrucW.exe
        
        C:\Windows\System\wEkrucW.exe
        5⤵
        
        PID:10272
    - - C:\Windows\System\HkyzsKD.exe
        
        C:\Windows\System\HkyzsKD.exe
        5⤵
        
        PID:2800
    - - C:\Windows\System\UUVlKQp.exe
        
        C:\Windows\System\UUVlKQp.exe
        5⤵
        
        PID:5152
    - - C:\Windows\System\oBiULbv.exe
        
        C:\Windows\System\oBiULbv.exe
        5⤵
        
        PID:8172
    - - C:\Windows\System\hCfYisV.exe
        
        C:\Windows\System\hCfYisV.exe
        5⤵
        
        PID:6692
    - - C:\Windows\System\KSkcCFi.exe
        
        C:\Windows\System\KSkcCFi.exe
        5⤵
        
        PID:14352
    - - C:\Windows\System\bOrbCGY.exe
        
        C:\Windows\System\bOrbCGY.exe
        5⤵
        
        PID:14368
    - - C:\Windows\System\xLXtfRU.exe
        
        C:\Windows\System\xLXtfRU.exe
        5⤵
        
        PID:14384
    - - C:\Windows\System\BHpWxvB.exe
        
        C:\Windows\System\BHpWxvB.exe
        5⤵
        
        PID:14400
    - - C:\Windows\System\zAnNSkL.exe
        
        C:\Windows\System\zAnNSkL.exe
        5⤵
        
        PID:11308
    - - C:\Windows\System\mnnjvGd.exe
        
        C:\Windows\System\mnnjvGd.exe
        5⤵
        
        PID:10516
    - - C:\Windows\System\vfMHGjS.exe
        
        C:\Windows\System\vfMHGjS.exe
        5⤵
        
        PID:15244
    - - C:\Windows\System\ujIflLu.exe
        
        C:\Windows\System\ujIflLu.exe
        5⤵
        
        PID:12588
    - - C:\Windows\System\SsUIPFs.exe
        
        C:\Windows\System\SsUIPFs.exe
        5⤵
        
        PID:12664
    - - C:\Windows\System\slfkbFC.exe
        
        C:\Windows\System\slfkbFC.exe
        5⤵
        
        PID:12680
    - - C:\Windows\System\EkSbVBc.exe
        
        C:\Windows\System\EkSbVBc.exe
        5⤵
        
        PID:12756
    - - C:\Windows\System\MVSEVhX.exe
        
        C:\Windows\System\MVSEVhX.exe
        5⤵
        
        PID:12868
    - - C:\Windows\System\SbqXBkZ.exe
        
        C:\Windows\System\SbqXBkZ.exe
        5⤵
        
        PID:12916
    - - C:\Windows\System\Zbrkdxj.exe
        
        C:\Windows\System\Zbrkdxj.exe
        5⤵
        
        PID:12936
    - - C:\Windows\System\pPNsyfq.exe
        
        C:\Windows\System\pPNsyfq.exe
        5⤵
        
        PID:13156
    - - C:\Windows\System\BaJLSDW.exe
        
        C:\Windows\System\BaJLSDW.exe
        5⤵
        
        PID:13252
    - - C:\Windows\System\BxOtThd.exe
        
        C:\Windows\System\BxOtThd.exe
        5⤵
        
        PID:7972
    - - C:\Windows\System\tOOyWnn.exe
        
        C:\Windows\System\tOOyWnn.exe
        5⤵
        
        PID:6264
    - - C:\Windows\System\pAvIGnQ.exe
        
        C:\Windows\System\pAvIGnQ.exe
        5⤵
        
        PID:11648
    - - C:\Windows\System\mnJgHHB.exe
        
        C:\Windows\System\mnJgHHB.exe
        5⤵
        
        PID:6780
    - - C:\Windows\System\XULDCts.exe
        
        C:\Windows\System\XULDCts.exe
        5⤵
        
        PID:11980
    - - C:\Windows\System\zUZRqFo.exe
        
        C:\Windows\System\zUZRqFo.exe
        5⤵
        
        PID:9872
    - - C:\Windows\System\MYwRfWa.exe
        
        C:\Windows\System\MYwRfWa.exe
        5⤵
        
        PID:13328
    - - C:\Windows\System\dZrYnqm.exe
        
        C:\Windows\System\dZrYnqm.exe
        5⤵
        
        PID:5356
    - - C:\Windows\System\XAiZjHi.exe
        
        C:\Windows\System\XAiZjHi.exe
        5⤵
        
        PID:13500
    - - C:\Windows\System\RThXEWx.exe
        
        C:\Windows\System\RThXEWx.exe
        5⤵
        
        PID:13440
    - - C:\Windows\System\lYyVETy.exe
        
        C:\Windows\System\lYyVETy.exe
        5⤵
        
        PID:13568
    - - C:\Windows\System\aSvXbBX.exe
        
        C:\Windows\System\aSvXbBX.exe
        5⤵
        
        PID:13608
    - - C:\Windows\System\pqMOzTR.exe
        
        C:\Windows\System\pqMOzTR.exe
        5⤵
        
        PID:13648
    - - C:\Windows\System\ILYfiwK.exe
        
        C:\Windows\System\ILYfiwK.exe
        5⤵
        
        PID:13692
    - - C:\Windows\System\rmeuEpZ.exe
        
        C:\Windows\System\rmeuEpZ.exe
        5⤵
        
        PID:13708
    - - C:\Windows\System\AGBUJio.exe
        
        C:\Windows\System\AGBUJio.exe
        5⤵
        
        PID:13724
    - - C:\Windows\System\wAadkLk.exe
        
        C:\Windows\System\wAadkLk.exe
        5⤵
        
        PID:13752
    - - C:\Windows\System\MhiRxdA.exe
        
        C:\Windows\System\MhiRxdA.exe
        5⤵
        
        PID:13764
    - - C:\Windows\System\khNJxrS.exe
        
        C:\Windows\System\khNJxrS.exe
        5⤵
        
        PID:13796
    - - C:\Windows\System\WwbazsI.exe
        
        C:\Windows\System\WwbazsI.exe
        5⤵
        
        PID:13820
    - - C:\Windows\System\eSLdKxI.exe
        
        C:\Windows\System\eSLdKxI.exe
        5⤵
        
        PID:13876
    - - C:\Windows\System\mVnrWUU.exe
        
        C:\Windows\System\mVnrWUU.exe
        5⤵
        
        PID:13908
    - - C:\Windows\System\FZYtocn.exe
        
        C:\Windows\System\FZYtocn.exe
        5⤵
        
        PID:13948
    - - C:\Windows\System\cluDkUZ.exe
        
        C:\Windows\System\cluDkUZ.exe
        5⤵
        
        PID:13980
    - - C:\Windows\System\JHuCsmx.exe
        
        C:\Windows\System\JHuCsmx.exe
        5⤵
        
        PID:14040
    - - C:\Windows\System\QeGHwaX.exe
        
        C:\Windows\System\QeGHwaX.exe
        5⤵
        
        PID:14116
    - - C:\Windows\System\dkEJChc.exe
        
        C:\Windows\System\dkEJChc.exe
        5⤵
        
        PID:10612
    - - C:\Windows\System\hbJQFZG.exe
        
        C:\Windows\System\hbJQFZG.exe
        5⤵
        
        PID:14144
    - - C:\Windows\System\PmaXSUA.exe
        
        C:\Windows\System\PmaXSUA.exe
        5⤵
        
        PID:8960
    - - C:\Windows\System\JDfjGDt.exe
        
        C:\Windows\System\JDfjGDt.exe
        5⤵
        
        PID:368
    - - C:\Windows\System\DVcLKWC.exe
        
        C:\Windows\System\DVcLKWC.exe
        5⤵
        
        PID:9936
    - - C:\Windows\System\vifwxsu.exe
        
        C:\Windows\System\vifwxsu.exe
        5⤵
        
        PID:10944
    - - C:\Windows\System\SKMMQAd.exe
        
        C:\Windows\System\SKMMQAd.exe
        5⤵
        
        PID:3240
    - - C:\Windows\System\anxHUrQ.exe
        
        C:\Windows\System\anxHUrQ.exe
        5⤵
        
        PID:11068
    - - C:\Windows\System\fOaafVK.exe
        
        C:\Windows\System\fOaafVK.exe
        5⤵
        
        PID:472
    - - C:\Windows\System\hpbZvaj.exe
        
        C:\Windows\System\hpbZvaj.exe
        5⤵
        
        PID:11736
    - - C:\Windows\System\UIcSrmw.exe
        
        C:\Windows\System\UIcSrmw.exe
        5⤵
        
        PID:12272
    - - C:\Windows\System\KtaScYC.exe
        
        C:\Windows\System\KtaScYC.exe
        5⤵
        
        PID:6796
    - - C:\Windows\System\RfAbBHa.exe
        
        C:\Windows\System\RfAbBHa.exe
        5⤵
        
        PID:7884
    - - C:\Windows\System\EbGVHes.exe
        
        C:\Windows\System\EbGVHes.exe
        5⤵
        
        PID:4716
    - - C:\Windows\System\WIGUIPu.exe
        
        C:\Windows\System\WIGUIPu.exe
        5⤵
        
        PID:13044
    - - C:\Windows\System\NkoLWmM.exe
        
        C:\Windows\System\NkoLWmM.exe
        5⤵
        
        PID:11572
    - - C:\Windows\System\XeBzzxt.exe
        
        C:\Windows\System\XeBzzxt.exe
        5⤵
        
        PID:13204
    - - C:\Windows\System\lvGBdcF.exe
        
        C:\Windows\System\lvGBdcF.exe
        5⤵
        
        PID:1908
    - - C:\Windows\System\BCAcAgh.exe
        
        C:\Windows\System\BCAcAgh.exe
        5⤵
        
        PID:3104
    - - C:\Windows\System\qbDzaYK.exe
        
        C:\Windows\System\qbDzaYK.exe
        5⤵
        
        PID:10120
    - - C:\Windows\System\lEEIqEO.exe
        
        C:\Windows\System\lEEIqEO.exe
        5⤵
        
        PID:5624
    - - C:\Windows\System\KEZJnaI.exe
        
        C:\Windows\System\KEZJnaI.exe
        5⤵
        
        PID:14364
    - - C:\Windows\System\RXHeutg.exe
        
        C:\Windows\System\RXHeutg.exe
        5⤵
        
        PID:14396
    - - C:\Windows\System\BIxCUGr.exe
        
        C:\Windows\System\BIxCUGr.exe
        5⤵
        
        PID:14424
    - - C:\Windows\System\TGVoUxv.exe
        
        C:\Windows\System\TGVoUxv.exe
        5⤵
        
        PID:14452
    - - C:\Windows\System\uyTvRri.exe
        
        C:\Windows\System\uyTvRri.exe
        5⤵
        
        PID:14480
    - - C:\Windows\System\cHqbtzo.exe
        
        C:\Windows\System\cHqbtzo.exe
        5⤵
        
        PID:14512
    - - C:\Windows\System\lRaCFdu.exe
        
        C:\Windows\System\lRaCFdu.exe
        5⤵
        
        PID:14544
    - - C:\Windows\System\NoViMRv.exe
        
        C:\Windows\System\NoViMRv.exe
        5⤵
        
        PID:14584
    - - C:\Windows\System\AGBstRG.exe
        
        C:\Windows\System\AGBstRG.exe
        5⤵
        
        PID:8780
    - - C:\Windows\System\EckueQf.exe
        
        C:\Windows\System\EckueQf.exe
        5⤵
        
        PID:14616
    - - C:\Windows\System\xtVFfiM.exe
        
        C:\Windows\System\xtVFfiM.exe
        5⤵
        
        PID:14648
    - - C:\Windows\System\lTANWQS.exe
        
        C:\Windows\System\lTANWQS.exe
        5⤵
        
        PID:14688
    - - C:\Windows\System\AuqHsFw.exe
        
        C:\Windows\System\AuqHsFw.exe
        5⤵
        
        PID:14724
    - - C:\Windows\System\cMGJgvm.exe
        
        C:\Windows\System\cMGJgvm.exe
        5⤵
        
        PID:14756
    - - C:\Windows\System\azICBqQ.exe
        
        C:\Windows\System\azICBqQ.exe
        5⤵
        
        PID:14788
    - - C:\Windows\System\CHwnXog.exe
        
        C:\Windows\System\CHwnXog.exe
        5⤵
        
        PID:13740
    - - C:\Windows\System\HvkBGhj.exe
        
        C:\Windows\System\HvkBGhj.exe
        5⤵
        
        PID:14832
    - - C:\Windows\System\lGvtQmX.exe
        
        C:\Windows\System\lGvtQmX.exe
        5⤵
        
        PID:14884
    - - C:\Windows\System\gdYZRTi.exe
        
        C:\Windows\System\gdYZRTi.exe
        5⤵
        
        PID:14944
    - - C:\Windows\System\CaXVDhG.exe
        
        C:\Windows\System\CaXVDhG.exe
        5⤵
        
        PID:14992
    - - C:\Windows\System\qPdgpSN.exe
        
        C:\Windows\System\qPdgpSN.exe
        5⤵
        
        PID:15040
    - - C:\Windows\System\NoKoant.exe
        
        C:\Windows\System\NoKoant.exe
        5⤵
        
        PID:15084
    - - C:\Windows\System\SdYVspB.exe
        
        C:\Windows\System\SdYVspB.exe
        5⤵
        
        PID:15140
    - - C:\Windows\System\DAhCDiD.exe
        
        C:\Windows\System\DAhCDiD.exe
        5⤵
        
        PID:14676
    - - C:\Windows\System\nOwpQUT.exe
        
        C:\Windows\System\nOwpQUT.exe
        5⤵
        
        PID:11560
    - - C:\Windows\System\bYcaEDh.exe
        
        C:\Windows\System\bYcaEDh.exe
        5⤵
        
        PID:2244
    - - C:\Windows\System\sJEgvcl.exe
        
        C:\Windows\System\sJEgvcl.exe
        5⤵
        
        PID:1820
    - - C:\Windows\System\LBtILGh.exe
        
        C:\Windows\System\LBtILGh.exe
        5⤵
        
        PID:7416
    - - C:\Windows\System\ALkMMzj.exe
        
        C:\Windows\System\ALkMMzj.exe
        5⤵
        
        PID:5496
    - - C:\Windows\System\DslgHiL.exe
        
        C:\Windows\System\DslgHiL.exe
        5⤵
        
        PID:7016
    - - C:\Windows\System\irxvULE.exe
        
        C:\Windows\System\irxvULE.exe
        5⤵
        
        PID:6280
    - - C:\Windows\System\rpBaDXS.exe
        
        C:\Windows\System\rpBaDXS.exe
        5⤵
        
        PID:4584
    - - C:\Windows\System\OLnclgM.exe
        
        C:\Windows\System\OLnclgM.exe
        5⤵
        
        PID:12004
    - - C:\Windows\System\qxKTwks.exe
        
        C:\Windows\System\qxKTwks.exe
        5⤵
        
        PID:9636
    - - C:\Windows\System\aLeFHSa.exe
        
        C:\Windows\System\aLeFHSa.exe
        5⤵
        
        PID:6240
    - - C:\Windows\System\aMlxEJV.exe
        
        C:\Windows\System\aMlxEJV.exe
        5⤵
        
        PID:8560
    - - C:\Windows\System\KriPOJM.exe
        
        C:\Windows\System\KriPOJM.exe
        5⤵
        
        PID:6832
    - - C:\Windows\System\ucznUvP.exe
        
        C:\Windows\System\ucznUvP.exe
        5⤵
        
        PID:15396
    - - C:\Windows\System\bPgFXTL.exe
        
        C:\Windows\System\bPgFXTL.exe
        5⤵
        
        PID:15412
    - - C:\Windows\System\PHgucVs.exe
        
        C:\Windows\System\PHgucVs.exe
        5⤵
        
        PID:15428
    - - C:\Windows\System\GRiBcnd.exe
        
        C:\Windows\System\GRiBcnd.exe
        5⤵
        
        PID:15444
    - - C:\Windows\System\URSDhLI.exe
        
        C:\Windows\System\URSDhLI.exe
        5⤵
        
        PID:15500
    - - C:\Windows\System\DQwSEqK.exe
        
        C:\Windows\System\DQwSEqK.exe
        5⤵
        
        PID:15516
    - - C:\Windows\System\IdSutcf.exe
        
        C:\Windows\System\IdSutcf.exe
        5⤵
        
        PID:15548
    - - C:\Windows\System\ZJNkKTJ.exe
        
        C:\Windows\System\ZJNkKTJ.exe
        5⤵
        
        PID:15572
    - - C:\Windows\System\MvxGips.exe
        
        C:\Windows\System\MvxGips.exe
        5⤵
        
        PID:15588
    - - C:\Windows\System\LJrvQuO.exe
        
        C:\Windows\System\LJrvQuO.exe
        5⤵
        
        PID:15604
    - - C:\Windows\System\SMlizzy.exe
        
        C:\Windows\System\SMlizzy.exe
        5⤵
        
        PID:15620
    - - C:\Windows\System\npaVofw.exe
        
        C:\Windows\System\npaVofw.exe
        5⤵
        
        PID:15636
    - - C:\Windows\System\BRHrBSy.exe
        
        C:\Windows\System\BRHrBSy.exe
        5⤵
        
        PID:15664
    - - C:\Windows\System\oaNrIUP.exe
        
        C:\Windows\System\oaNrIUP.exe
        5⤵
        
        PID:15692
    - - C:\Windows\System\IdsAhkU.exe
        
        C:\Windows\System\IdsAhkU.exe
        5⤵
        
        PID:15712
    - - C:\Windows\System\wxgdOhx.exe
        
        C:\Windows\System\wxgdOhx.exe
        5⤵
        
        PID:15732
    - - C:\Windows\System\zWraWfW.exe
        
        C:\Windows\System\zWraWfW.exe
        5⤵
        
        PID:15780
    - - C:\Windows\System\QBauiFZ.exe
        
        C:\Windows\System\QBauiFZ.exe
        5⤵
        
        PID:15948
    - - C:\Windows\System\xxpuamA.exe
        
        C:\Windows\System\xxpuamA.exe
        5⤵
        
        PID:15964
    - - C:\Windows\System\ygNCtVh.exe
        
        C:\Windows\System\ygNCtVh.exe
        5⤵
        
        PID:15980
    - - C:\Windows\System\SifeLvP.exe
        
        C:\Windows\System\SifeLvP.exe
        5⤵
        
        PID:15996
    - - C:\Windows\System\GkPHond.exe
        
        C:\Windows\System\GkPHond.exe
        5⤵
        
        PID:16036
    - - C:\Windows\System\wxJoFIC.exe
        
        C:\Windows\System\wxJoFIC.exe
        5⤵
        
        PID:16068
    - - C:\Windows\System\TtiAfIk.exe
        
        C:\Windows\System\TtiAfIk.exe
        5⤵
        
        PID:16084
    - - C:\Windows\System\zwzXBUm.exe
        
        C:\Windows\System\zwzXBUm.exe
        5⤵
        
        PID:16100
    - - C:\Windows\System\toQtdRA.exe
        
        C:\Windows\System\toQtdRA.exe
        5⤵
        
        PID:16124
    - - C:\Windows\System\dvIkkSm.exe
        
        C:\Windows\System\dvIkkSm.exe
        5⤵
        
        PID:16140
    - - C:\Windows\System\ykQkvrK.exe
        
        C:\Windows\System\ykQkvrK.exe
        5⤵
        
        PID:16160
    - - C:\Windows\System\rMflGXz.exe
        
        C:\Windows\System\rMflGXz.exe
        5⤵
        
        PID:16176
    - - C:\Windows\System\DKfbnQR.exe
        
        C:\Windows\System\DKfbnQR.exe
        5⤵
        
        PID:16224
    - - C:\Windows\System\hSMhgrF.exe
        
        C:\Windows\System\hSMhgrF.exe
        5⤵
        
        PID:16240
    - - C:\Windows\System\pBYrQMt.exe
        
        C:\Windows\System\pBYrQMt.exe
        5⤵
        
        PID:16256
    - - C:\Windows\System\OsWAiZo.exe
        
        C:\Windows\System\OsWAiZo.exe
        5⤵
        
        PID:16276
    - - C:\Windows\System\iqMBKpT.exe
        
        C:\Windows\System\iqMBKpT.exe
        5⤵
        
        PID:16292
    - - C:\Windows\System\jDEBqQD.exe
        
        C:\Windows\System\jDEBqQD.exe
        5⤵
        
        PID:16308
    - - C:\Windows\System\FyTLCGJ.exe
        
        C:\Windows\System\FyTLCGJ.exe
        5⤵
        
        PID:16324
    - - C:\Windows\System\sEohJPm.exe
        
        C:\Windows\System\sEohJPm.exe
        5⤵
        
        PID:16340
    - - C:\Windows\System\SpwvmCl.exe
        
        C:\Windows\System\SpwvmCl.exe
        5⤵
        
        PID:16360
    - - C:\Windows\System\lqHZwmv.exe
        
        C:\Windows\System\lqHZwmv.exe
        5⤵
        
        PID:12932
    - - C:\Windows\System\xRpNSuX.exe
        
        C:\Windows\System\xRpNSuX.exe
        5⤵
        
        PID:8692
    - - C:\Windows\System\FmMeUeh.exe
        
        C:\Windows\System\FmMeUeh.exe
        5⤵
        
        PID:13924
    - - C:\Windows\System\ZCnEADZ.exe
        
        C:\Windows\System\ZCnEADZ.exe
        5⤵
        
        PID:14192
    - - C:\Windows\System\PPOjeDf.exe
        
        C:\Windows\System\PPOjeDf.exe
        5⤵
        
        PID:15104
    - - C:\Windows\System\mWqyhHy.exe
        
        C:\Windows\System\mWqyhHy.exe
        5⤵
        
        PID:9048
    - - C:\Windows\System\WulAgDY.exe
        
        C:\Windows\System\WulAgDY.exe
        5⤵
        
        PID:7648
    - - C:\Windows\System\cslduHM.exe
        
        C:\Windows\System\cslduHM.exe
        5⤵
        
        PID:5500
    - - C:\Windows\System\FgPOcxC.exe
        
        C:\Windows\System\FgPOcxC.exe
        5⤵
        
        PID:11692
    - - C:\Windows\System\vTxMPKL.exe
        
        C:\Windows\System\vTxMPKL.exe
        5⤵
        
        PID:10308
    - - C:\Windows\System\PWbmLWa.exe
        
        C:\Windows\System\PWbmLWa.exe
        5⤵
        
        PID:10320
    - - C:\Windows\System\sZDLaUd.exe
        
        C:\Windows\System\sZDLaUd.exe
        5⤵
        
        PID:10636
    - - C:\Windows\System\mZDnrlR.exe
        
        C:\Windows\System\mZDnrlR.exe
        5⤵
        
        PID:1760
    - - C:\Windows\System\mjLAifz.exe
        
        C:\Windows\System\mjLAifz.exe
        5⤵
        
        PID:8516
    - - C:\Windows\System\arKrejF.exe
        
        C:\Windows\System\arKrejF.exe
        5⤵
        
        PID:14540
    - - C:\Windows\System\aJtbrHp.exe
        
        C:\Windows\System\aJtbrHp.exe
        5⤵
        
        PID:5276
    - - C:\Windows\System\ZWlOYvB.exe
        
        C:\Windows\System\ZWlOYvB.exe
        5⤵
        
        PID:6252
    - - C:\Windows\System\pPYJkbk.exe
        
        C:\Windows\System\pPYJkbk.exe
        5⤵
        
        PID:5520
    - - C:\Windows\System\BIFpdyq.exe
        
        C:\Windows\System\BIFpdyq.exe
        5⤵
        
        PID:15884
    - - C:\Windows\System\fXohecv.exe
        
        C:\Windows\System\fXohecv.exe
        5⤵
        
        PID:3660
    - - C:\Windows\System\FjENuSh.exe
        
        C:\Windows\System\FjENuSh.exe
        5⤵
        
        PID:16080
    - - C:\Windows\System\MBayVfL.exe
        
        C:\Windows\System\MBayVfL.exe
        5⤵
        
        PID:5852
    - - C:\Windows\System\lGgTlwh.exe
        
        C:\Windows\System\lGgTlwh.exe
        5⤵
        
        PID:9596
    - - C:\Windows\System\QvGjViL.exe
        
        C:\Windows\System\QvGjViL.exe
        5⤵
        
        PID:9676
    - - C:\Windows\System\POsqFVP.exe
        
        C:\Windows\System\POsqFVP.exe
        5⤵
        
        PID:11840
    - - C:\Windows\System\GXnnYZK.exe
        
        C:\Windows\System\GXnnYZK.exe
        5⤵
        
        PID:14360
    - - C:\Windows\System\GDhfZXw.exe
        
        C:\Windows\System\GDhfZXw.exe
        5⤵
        
        PID:11320
    - - C:\Windows\System\IHwBRzm.exe
        
        C:\Windows\System\IHwBRzm.exe
        5⤵
        
        PID:9396
    - - C:\Windows\System\QeCedjE.exe
        
        C:\Windows\System\QeCedjE.exe
        5⤵
        
        PID:6236
    - - C:\Windows\System\vLpVCrr.exe
        
        C:\Windows\System\vLpVCrr.exe
        5⤵
        
        PID:14804
    - - C:\Windows\System\ATFwwZo.exe
        
        C:\Windows\System\ATFwwZo.exe
        5⤵
        
        PID:4444
    - - C:\Windows\System\DxaGuHb.exe
        
        C:\Windows\System\DxaGuHb.exe
        5⤵
        
        PID:11392
    - - C:\Windows\System\DgYNUPI.exe
        
        C:\Windows\System\DgYNUPI.exe
        5⤵
        
        PID:6232
    - - C:\Windows\System\CjdtVYK.exe
        
        C:\Windows\System\CjdtVYK.exe
        5⤵
        
        PID:8052
    - - C:\Windows\System\YEowGtH.exe
        
        C:\Windows\System\YEowGtH.exe
        5⤵
        
        PID:9352
    - - C:\Windows\System\JrQcVPm.exe
        
        C:\Windows\System\JrQcVPm.exe
        5⤵
        
        PID:3352
    - - C:\Windows\System\kGjoYOl.exe
        
        C:\Windows\System\kGjoYOl.exe
        5⤵
        
        PID:11424
    - - C:\Windows\System\npMyXJI.exe
        
        C:\Windows\System\npMyXJI.exe
        5⤵
        
        PID:13468
  - - C:\Users\Admin\Downloads\240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
      C:\Users\Admin\Downloads\240920-p4qaxsxcngdd4273a9ff0f5c063aa519b4aa56eb09cf890e11cce36827b975db26a09c41cfN.exe
      4⤵
      Drops file in System32 directory
      PID:8940
    - - C:\Windows\System32\nuEvWtR.exe
        
        C:\Windows\System32\nuEvWtR.exe
        5⤵
        
        PID:11412
    - - C:\Windows\System32\ECLyRWL.exe
        
        C:\Windows\System32\ECLyRWL.exe
        5⤵
        
        PID:12172
    - - C:\Windows\System32\DLEWXCG.exe
        
        C:\Windows\System32\DLEWXCG.exe
        5⤵
        
        PID:8812
    - - C:\Windows\System32\xcBeIkP.exe
        
        C:\Windows\System32\xcBeIkP.exe
        5⤵
        
        PID:7496
    - - C:\Windows\System32\boCQCYY.exe
        
        C:\Windows\System32\boCQCYY.exe
        5⤵
        
        PID:6656
    - - C:\Windows\System32\ERixYFG.exe
        
        C:\Windows\System32\ERixYFG.exe
        5⤵
        
        PID:12552
    - - C:\Windows\System32\PgYFRJK.exe
        
        C:\Windows\System32\PgYFRJK.exe
        5⤵
        
        PID:12832
    - - C:\Windows\System32\HHnzYUs.exe
        
        C:\Windows\System32\HHnzYUs.exe
        5⤵
        
        PID:6160
    - - C:\Windows\System32\RryRMfV.exe
        
        C:\Windows\System32\RryRMfV.exe
        5⤵
        
        PID:13852
    - - C:\Windows\System32\kfedraw.exe
        
        C:\Windows\System32\kfedraw.exe
        5⤵
        
        PID:13868
    - - C:\Windows\System32\MgcvbQd.exe
        
        C:\Windows\System32\MgcvbQd.exe
        5⤵
        
        PID:14848
    - - C:\Windows\System32\XbLOcAf.exe
        
        C:\Windows\System32\XbLOcAf.exe
        5⤵
        
        PID:11504
    - - C:\Windows\System32\kwNiUei.exe
        
        C:\Windows\System32\kwNiUei.exe
        5⤵
        
        PID:10060
    - - C:\Windows\System32\cOlzRZV.exe
        
        C:\Windows\System32\cOlzRZV.exe
        5⤵
        
        PID:12296
    - - C:\Windows\System32\JcZxkCU.exe
        
        C:\Windows\System32\JcZxkCU.exe
        5⤵
        
        PID:15536
    - - C:\Windows\System32\pvQTZNp.exe
        
        C:\Windows\System32\pvQTZNp.exe
        5⤵
        
        PID:15940
    - - C:\Windows\System32\vxeTMjh.exe
        
        C:\Windows\System32\vxeTMjh.exe
        5⤵
        
        PID:13400
    - - C:\Windows\System32\bCfvTQD.exe
        
        C:\Windows\System32\bCfvTQD.exe
        5⤵
        
        PID:12120
    - - C:\Windows\System32\XoXSpOg.exe
        
        C:\Windows\System32\XoXSpOg.exe
        5⤵
        
        PID:1800
    - - C:\Windows\System32\TKhMonl.exe
        
        C:\Windows\System32\TKhMonl.exe
        5⤵
        
        PID:4348
    - - C:\Windows\System32\gswmuLn.exe
        
        C:\Windows\System32\gswmuLn.exe
        5⤵
        
        PID:2856
    - - C:\Windows\System32\HVpBDga.exe
        
        C:\Windows\System32\HVpBDga.exe
        5⤵
        
        PID:7392
    - - C:\Windows\System32\wHTEOLh.exe
        
        C:\Windows\System32\wHTEOLh.exe
        5⤵
        
        PID:15424
    - - C:\Windows\System32\EebeyrU.exe
        
        C:\Windows\System32\EebeyrU.exe
        5⤵
        
        PID:12436
    - - C:\Windows\System32\mehjNCq.exe
        
        C:\Windows\System32\mehjNCq.exe
        5⤵
        
        PID:12496
    - - C:\Windows\System32\hUUJKnk.exe
        
        C:\Windows\System32\hUUJKnk.exe
        5⤵
        
        PID:12672
    - - C:\Windows\System32\GVMEnjR.exe
        
        C:\Windows\System32\GVMEnjR.exe
        5⤵
        
        PID:12752
    - - C:\Windows\System32\kBNkCaw.exe
        
        C:\Windows\System32\kBNkCaw.exe
        5⤵
        
        PID:12800
    - - C:\Windows\System32\gDfbsAy.exe
        
        C:\Windows\System32\gDfbsAy.exe
        5⤵
        
        PID:12888
    - - C:\Windows\System32\vvcWsWq.exe
        
        C:\Windows\System32\vvcWsWq.exe
        5⤵
        
        PID:15512
    - - C:\Windows\System32\czWCYNi.exe
        
        C:\Windows\System32\czWCYNi.exe
        5⤵
        
        PID:6272
    - - C:\Windows\System32\YwVAtjE.exe
        
        C:\Windows\System32\YwVAtjE.exe
        5⤵
        
        PID:7624
    - - C:\Windows\System32\wDDkXfp.exe
        
        C:\Windows\System32\wDDkXfp.exe
        5⤵
        
        PID:13236
    - - C:\Windows\System32\GEMnwWx.exe
        
        C:\Windows\System32\GEMnwWx.exe
        5⤵
        
        PID:13100
    - - C:\Windows\System32\CCMYlOJ.exe
        
        C:\Windows\System32\CCMYlOJ.exe
        5⤵
        
        PID:13000
    - - C:\Windows\System32\BNqmXrT.exe
        
        C:\Windows\System32\BNqmXrT.exe
        5⤵
        
        PID:8476
    - - C:\Windows\System32\ZnkaFHD.exe
        
        C:\Windows\System32\ZnkaFHD.exe
        5⤵
        
        PID:13560
    - - C:\Windows\System32\pPBjhcg.exe
        
        C:\Windows\System32\pPBjhcg.exe
        5⤵
        
        PID:13376
    - - C:\Windows\System32\amsEoED.exe
        
        C:\Windows\System32\amsEoED.exe
        5⤵
        
        PID:11776
    - - C:\Windows\System32\IxAGpTe.exe
        
        C:\Windows\System32\IxAGpTe.exe
        5⤵
        
        PID:12212
  - - C:\Users\Admin\Downloads\240920-ptzfvaxblj296deb014deddbad300c2ba8f156ba599e6a57efeffb42f5afc19fe88c5fc811N.exe
      C:\Users\Admin\Downloads\240920-ptzfvaxblj296deb014deddbad300c2ba8f156ba599e6a57efeffb42f5afc19fe88c5fc811N.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5824
  - - C:\Users\Admin\Downloads\240920-p54vpsxdlcf92c71efc8ef3d33079441049c884f66c2c0ecf1deb216561d60b1397088442fN.exe
      C:\Users\Admin\Downloads\240920-p54vpsxdlcf92c71efc8ef3d33079441049c884f66c2c0ecf1deb216561d60b1397088442fN.exe
      4⤵
      PID:8012
  - - C:\Users\Admin\Downloads\240920-qh8qtaydmqe6653815847a48ccd23c521abf6be773bdaf1a8d8d49033674d9867070468989N.exe
      C:\Users\Admin\Downloads\240920-qh8qtaydmqe6653815847a48ccd23c521abf6be773bdaf1a8d8d49033674d9867070468989N.exe
      4⤵
      Loads dropped DLL
      PID:9376
  - - C:\Users\Admin\Downloads\240920-qkdnfsydrjffb76b552990f325604ec8fe20bd48ac713b818febb830218d7175c36d517cdbN.exe
      C:\Users\Admin\Downloads\240920-qkdnfsydrjffb76b552990f325604ec8fe20bd48ac713b818febb830218d7175c36d517cdbN.exe
      4⤵
      Loads dropped DLL
      PID:6256
  - - C:\Users\Admin\Downloads\240920-p3esssxenj1479015cbe6fb3998c190dc42f3165066bf3191f841e0bb92df6484c0611e70cN.exe
      C:\Users\Admin\Downloads\240920-p3esssxenj1479015cbe6fb3998c190dc42f3165066bf3191f841e0bb92df6484c0611e70cN.exe
      4⤵
      PID:8388
    - - \??\c:\lxfflfr.exe
        
        c:\lxfflfr.exe
        5⤵
        
        PID:10660
      - \??\c:\vvpjv.exe
        
        c:\vvpjv.exe
        6⤵
        
        PID:11580
        
        \??\c:\vpjdv.exe
        
        c:\vpjdv.exe
        7⤵
        
        PID:3424
        
        \??\c:\ntnnbb.exe
        
        c:\ntnnbb.exe
        8⤵
        
        PID:15484
  - - C:\Users\Admin\Downloads\240920-qgxl6axhneeda9e92acebfb21133cfaf6eac807914_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qgxl6axhneeda9e92acebfb21133cfaf6eac807914_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:852
  - - C:\Users\Admin\Downloads\240920-qkm7wsyejj403e29d1007292be623ad725e8f4b2c49388b464848397f03a41d82616233a25N.exe
      C:\Users\Admin\Downloads\240920-qkm7wsyejj403e29d1007292be623ad725e8f4b2c49388b464848397f03a41d82616233a25N.exe
      4⤵
      PID:9568
    - - C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12128
      - C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        6⤵
        
        PID:6096
  - - C:\Users\Admin\Downloads\240920-pv5z1swhkebbb30adb1825dfc4226cc7b15f9c107132c6f8eb0c4d9a95e6480932292ca8a7N.exe
      C:\Users\Admin\Downloads\240920-pv5z1swhkebbb30adb1825dfc4226cc7b15f9c107132c6f8eb0c4d9a95e6480932292ca8a7N.exe
      4⤵
      PID:9312
    - - C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:10096
      - C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:10564
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
  - - C:\Users\Admin\Downloads\240920-pys5maxalhed9dbfe711729666fea40b1e08f5d0e2_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pys5maxalhed9dbfe711729666fea40b1e08f5d0e2_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 276
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:11372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 288
        5⤵
        Program crash
        
        PID:4600
  - - C:\Users\Admin\Downloads\240920-p8nmwsxemgbdec8ef959b2869ed4a098d79191d6573c5faf7c50d9a6abd176713d2eda40c0N.exe
      C:\Users\Admin\Downloads\240920-p8nmwsxemgbdec8ef959b2869ed4a098d79191d6573c5faf7c50d9a6abd176713d2eda40c0N.exe
      4⤵
      Drops file in System32 directory
      PID:1940
    - - C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4584
  - - C:\Users\Admin\Downloads\240920-qemdeaxgpd91412a18bfb27539c69fc85e54fd1b8b18d85c72175731ce3539b995ba5d4490N.exe
      C:\Users\Admin\Downloads\240920-qemdeaxgpd91412a18bfb27539c69fc85e54fd1b8b18d85c72175731ce3539b995ba5d4490N.exe
      4⤵
      PID:9588
    - - C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        5⤵
        
        PID:12156
      - C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10180
  - - C:\Users\Admin\Downloads\240920-pxm7zswhrb49294e7aedb089512f1d04e7a823837ff5d0740947f7c95f71b89f69fab16e70N.exe
      C:\Users\Admin\Downloads\240920-pxm7zswhrb49294e7aedb089512f1d04e7a823837ff5d0740947f7c95f71b89f69fab16e70N.exe
      4⤵
      PID:9004
    - - C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        5⤵
        
        PID:12196
      - C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        7⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        8⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        9⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        10⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Gccmaack.exe
        
        C:\Windows\system32\Gccmaack.exe
        11⤵
        
        PID:15600
        
        C:\Windows\SysWOW64\Geklckkd.exe
        
        C:\Windows\system32\Geklckkd.exe
        12⤵
        
        PID:14608
        
        C:\Windows\SysWOW64\Hhehkepj.exe
        
        C:\Windows\system32\Hhehkepj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:16188
        
        C:\Windows\SysWOW64\Icbbimih.exe
        
        C:\Windows\system32\Icbbimih.exe
        14⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Jmopmalc.exe
        
        C:\Windows\system32\Jmopmalc.exe
        15⤵
        Drops file in System32 directory
        
        PID:8632
        
        C:\Windows\SysWOW64\Likcdpop.exe
        
        C:\Windows\system32\Likcdpop.exe
        16⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Mfhgcbfo.exe
        
        C:\Windows\system32\Mfhgcbfo.exe
        17⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        18⤵
        Modifies registry class
        
        PID:3592
  - - C:\Users\Admin\Downloads\240920-qalajsxfjh18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795.exe
      C:\Users\Admin\Downloads\240920-qalajsxfjh18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795.exe
      4⤵
      PID:9672
  - - C:\Users\Admin\Downloads\240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
      C:\Users\Admin\Downloads\240920-prappswfmg00db28e5a7412cf4a6f87f8589244cd1.exe
      4⤵
      Drops file in Program Files directory
      PID:9708
  - - C:\Users\Admin\Downloads\240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qbn3tsyanleda64cd8498e07628ed19290253d9333_JaffaCakes118.exe
      4⤵
      Modifies firewall policy service
      Adds Run key to start application
      PID:9780
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -im ashMaiSv.exe -im mcvsftsn.exe -im Mcdetect.exe -im McTskshd.exe -im mcvsshld.exe -im McVSEscn.exe -im McShield.exe -im mcagent.exe -im oasclnt.exe -im nod32kui.exe
        5⤵
        Kills process with taskkill
        
        PID:9692
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:11964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -im ashMaiSv.exe -im mcvsftsn.exe -im Mcdetect.exe -im McTskshd.exe -im mcvsshld.exe -im McVSEscn.exe -im McShield.exe -im mcagent.exe -im oasclnt.exe -im nod32kui.exe
        5⤵
        Kills process with taskkill
        
        PID:1228
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:11972
  - - C:\Users\Admin\Downloads\240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pw91csxclqed9c5a1eb1f387a3ce8914ddb4defe83_JaffaCakes118.exe
      4⤵
      Suspicious behavior: MapViewOfSection
      PID:9800
  - - C:\Users\Admin\Downloads\240920-qk384syelkedac62408b8856c7353817b68bef60ce_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qk384syelkedac62408b8856c7353817b68bef60ce_JaffaCakes118.exe
      4⤵
      Drops file in Program Files directory
      PID:9900
    - - C:\program files\internet explorer\IEXPLORE.EXE
        
        "C:\program files\internet explorer\IEXPLORE.EXE"
        5⤵
        
        PID:2772
  - - C:\Users\Admin\Downloads\240920-qgkycsxhmceda9af60aedff23e13dce0da64d09d03_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qgkycsxhmceda9af60aedff23e13dce0da64d09d03_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:208
  - - C:\Users\Admin\Downloads\240920-p68kaaxgmqb536db3bd2c005b90eb5867b319c0e99c5171518d0072a4547cef27120f0c07fN.exe
      C:\Users\Admin\Downloads\240920-p68kaaxgmqb536db3bd2c005b90eb5867b319c0e99c5171518d0072a4547cef27120f0c07fN.exe
      4⤵
      PID:8628
    - - C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        5⤵
        
        PID:8148
      - C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        6⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        7⤵
        
        PID:7232
  - - C:\Users\Admin\Downloads\240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-prgs1sxaljed986e8e78df8348ae9392d9d05e33fc_JaffaCakes118.exe
      4⤵
      Enumerates connected drives
      Drops file in System32 directory
      PID:10400
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:12048
  - - C:\Users\Admin\Downloads\240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
      C:\Users\Admin\Downloads\240920-p3xzdaxeqj893cefc4cbe1cecee8b0f6a594ae75a7e3339c9689b5e38fb8360722ff8ef09dN.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:6432
  - - C:\Users\Admin\Downloads\240920-qgmf7axhmeeda9ba49db1396afbe40b1ed8fa20918_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qgmf7axhmeeda9ba49db1396afbe40b1ed8fa20918_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:11612
  - - C:\Users\Admin\Downloads\240920-pzg4raxapced9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pzg4raxapced9e7aca805a43c002de1ed96f877250_JaffaCakes118.exe
      4⤵
      PID:7000
  - - C:\Users\Admin\Downloads\240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
      C:\Users\Admin\Downloads\240920-qbs2saxfpa2af91cb6aea623756188f342803bd476af3a9b0470a354f54439f7d998b2eeafN.exe
      4⤵
      Modifies firewall policy service
      Adds Run key to start application
      Drops file in Program Files directory
      PID:14012
    - - C:\Program Files (x86)\5ba632a2\jusched.exe
        
        "C:\Program Files (x86)\5ba632a2\jusched.exe"
        5⤵
        
        PID:11228
  - - C:\Users\Admin\Downloads\240920-qky96ayarh9a702b5d1ea054b7ed3b9542e9f960221ad08aeb1b73d412b1686482e6f808beN.exe
      C:\Users\Admin\Downloads\240920-qky96ayarh9a702b5d1ea054b7ed3b9542e9f960221ad08aeb1b73d412b1686482e6f808beN.exe
      4⤵
      PID:14920
    - - C:\Windows\SysWOW64\Lhmjlm32.exe
        
        C:\Windows\system32\Lhmjlm32.exe
        5⤵
        Modifies registry class
        
        PID:12652
      - C:\Windows\SysWOW64\Ggafgo32.exe
        
        C:\Windows\system32\Ggafgo32.exe
        6⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        7⤵
        Drops file in System32 directory
        
        PID:15924
        
        C:\Windows\SysWOW64\Iqaiga32.exe
        
        C:\Windows\system32\Iqaiga32.exe
        8⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Jflnafno.exe
        
        C:\Windows\system32\Jflnafno.exe
        9⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\Kanbjn32.exe
        
        C:\Windows\system32\Kanbjn32.exe
        10⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Lplaaiqd.exe
        
        C:\Windows\system32\Lplaaiqd.exe
        11⤵
        
        PID:12148
        
        C:\Windows\SysWOW64\Mfomda32.exe
        
        C:\Windows\system32\Mfomda32.exe
        12⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        13⤵
        
        PID:5996
  - - C:\Users\Admin\Downloads\240920-qatxpayakmeda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qatxpayakmeda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe
      4⤵
      PID:13352
  - - C:\Users\Admin\Downloads\240920-qj9dqsydqne74a32e009cb8730cd1f3d529ca944ec72215b4b4a075b2e0b596608db66a52aN.exe
      C:\Users\Admin\Downloads\240920-qj9dqsydqne74a32e009cb8730cd1f3d529ca944ec72215b4b4a075b2e0b596608db66a52aN.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:15752
    - - C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:16168
  - - C:\Users\Admin\Downloads\240920-p133lsxblged9f7a0516013b514212e62606b55892_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p133lsxblged9f7a0516013b514212e62606b55892_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:9920
  - - C:\Users\Admin\Downloads\240920-qlr78sybmaedacbadd9b726b4bb5fd13b96d6409ce_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qlr78sybmaedacbadd9b726b4bb5fd13b96d6409ce_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:9160
  - - C:\Users\Admin\Downloads\240920-p1gvdaxdpp637f4d9a159c729f826b5872b563ce07d664cfaf7eb594bc1e1b721d9e356a5dN.exe
      C:\Users\Admin\Downloads\240920-p1gvdaxdpp637f4d9a159c729f826b5872b563ce07d664cfaf7eb594bc1e1b721d9e356a5dN.exe
      4⤵
      PID:6352
  - - C:\Users\Admin\Downloads\240920-pw7v1axclne0333a8ec110feec7bf196db647809f8760477ef518da533e256e1b6000fd1adN.exe
      C:\Users\Admin\Downloads\240920-pw7v1axclne0333a8ec110feec7bf196db647809f8760477ef518da533e256e1b6000fd1adN.exe
      4⤵
      PID:5340
    - - C:\Windows\SysWOW64\Mjaodkmo.exe
        
        C:\Windows\system32\Mjaodkmo.exe
        5⤵
        
        PID:5876
      - C:\Windows\SysWOW64\Odqbdnod.exe
        
        C:\Windows\system32\Odqbdnod.exe
        6⤵
        
        PID:5372
  - - C:\Users\Admin\Downloads\240920-prwbeawfqa8246dddbeb3abff1aece6a82728122db5783c1f8a5cbb3269f61a17de1f61384N.exe
      C:\Users\Admin\Downloads\240920-prwbeawfqa8246dddbeb3abff1aece6a82728122db5783c1f8a5cbb3269f61a17de1f61384N.exe
      4⤵
      PID:15680
    - - \??\c:\hbtttn.exe
        
        c:\hbtttn.exe
        5⤵
        
        PID:15168
      - \??\c:\xfxrlff.exe
        
        c:\xfxrlff.exe
        6⤵
        
        PID:14736
  - - C:\Users\Admin\Downloads\240920-psm2eswgkaed99b02eb1fac8bc4137e3e94167ceaf_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-psm2eswgkaed99b02eb1fac8bc4137e3e94167ceaf_JaffaCakes118.exe
      4⤵
      PID:316
  - - C:\Users\Admin\Downloads\240920-pymylsxdjqa1635ade0b2f3b3f565401c36cd0e5b50ca14dbf392d506c4ae750fb97f9cf82N.exe
      C:\Users\Admin\Downloads\240920-pymylsxdjqa1635ade0b2f3b3f565401c36cd0e5b50ca14dbf392d506c4ae750fb97f9cf82N.exe
      4⤵
      PID:11340
    - - C:\Windows\SysWOW64\Ecoiapdj.exe
        
        C:\Windows\system32\Ecoiapdj.exe
        5⤵
        
        PID:3576
  - - C:\Users\Admin\Downloads\240920-p14n5sxblh5d6a4fd70279102ef7f99c0e7969b433d93279d1bc6881e1f4c81528bae74131N.exe
      C:\Users\Admin\Downloads\240920-p14n5sxblh5d6a4fd70279102ef7f99c0e7969b433d93279d1bc6881e1f4c81528bae74131N.exe
      4⤵
      PID:11496
    - - C:\Windows\SysWOW64\Fcjimnjl.exe
        
        C:\Windows\system32\Fcjimnjl.exe
        5⤵
        
        PID:15824
  - - C:\Users\Admin\Downloads\240920-pv99qsxbqp6966abeae5c51d169fc04e631bdb3f510c33322430151d8b8835a5a070b53c12N.exe
      C:\Users\Admin\Downloads\240920-pv99qsxbqp6966abeae5c51d169fc04e631bdb3f510c33322430151d8b8835a5a070b53c12N.exe
      4⤵
      PID:11668
  - - C:\Users\Admin\Downloads\240920-p5ntgsxfpneda2015d072ccf06cada0a38ba099576_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p5ntgsxfpneda2015d072ccf06cada0a38ba099576_JaffaCakes118.exe
      4⤵
      PID:14692
  - - C:\Users\Admin\Downloads\240920-qk2qaaybjb2024092010189572f9be8d417775d6093b2b6770icedid.exe
      C:\Users\Admin\Downloads\240920-qk2qaaybjb2024092010189572f9be8d417775d6093b2b6770icedid.exe
      4⤵
      PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\240920-psfmcawgjcmain.bat
      4⤵
      PID:12432
  - - C:\Users\Admin\Downloads\240920-pvlalsxbnm5.exe
      C:\Users\Admin\Downloads\240920-pvlalsxbnm5.exe
      4⤵
      PID:8716
  - - C:\Users\Admin\Downloads\240920-p9e25sxhmqeda4e07c9b9312b025232d7185c9e034_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p9e25sxhmqeda4e07c9b9312b025232d7185c9e034_JaffaCakes118.exe
      4⤵
      PID:10560
  - - C:\Users\Admin\Downloads\240920-qc213sxgkbeda7357073228bdad2dda0318a3a2a1f_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-qc213sxgkbeda7357073228bdad2dda0318a3a2a1f_JaffaCakes118.exe
      4⤵
      PID:12476
  - - C:\Users\Admin\Downloads\240920-p89kcsxepfeda4c598bb3a3a5f0d36eac37eb714ac_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-p89kcsxepfeda4c598bb3a3a5f0d36eac37eb714ac_JaffaCakes118.exe
      4⤵
      PID:10268
  - - C:\Users\Admin\Downloads\240920-qb831ayaqjAimbotV2.exe
      C:\Users\Admin\Downloads\240920-qb831ayaqjAimbotV2.exe
      4⤵
      PID:5208
  - - C:\Users\Admin\Downloads\240920-qf6hnsxhleRadarCheat.exe
      C:\Users\Admin\Downloads\240920-qf6hnsxhleRadarCheat.exe
      4⤵
      PID:6704
  - - C:\Users\Admin\Downloads\240920-qkw5ssyarf2f337088db997e52872f3b3c9b223897c5a652dc4db6ac918ac3b3111d1d8725N.exe
      C:\Users\Admin\Downloads\240920-qkw5ssyarf2f337088db997e52872f3b3c9b223897c5a652dc4db6ac918ac3b3111d1d8725N.exe
      4⤵
      PID:12068
  - - C:\Users\Admin\Downloads\240920-pxqm4sxcnped9c99d57c7f75f2a3e2632400e68b7d_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240920-pxqm4sxcnped9c99d57c7f75f2a3e2632400e68b7d_JaffaCakes118.exe
      4⤵
      PID:15616
  - - C:\Users\Admin\Downloads\240920-qkgp4sydrmDoomRat.exe
      C:\Users\Admin\Downloads\240920-qkgp4sydrmDoomRat.exe
      4⤵
      PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2124

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:9560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9196 -ip 9196
  2⤵
  PID:6720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5168 -ip 5168
  2⤵
  PID:10140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 9180 -ip 9180
  2⤵
  PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10748 -ip 10748
  2⤵
  PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6612 -ip 6612
  2⤵
  PID:5476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 11528 -ip 11528
  2⤵
  PID:10768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10064 -ip 10064
  2⤵
  PID:11544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 11208 -ip 11208
  2⤵
  PID:11940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8688 -ip 8688
  2⤵
  PID:10564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 9320 -ip 9320
  2⤵
  PID:16052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7484 -ip 7484
  2⤵
  PID:8276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 9680 -ip 9680
  2⤵
  PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8240 -ip 8240
  2⤵
  PID:11484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 852 -ip 852
  2⤵
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5788 -ip 5788
  2⤵
  PID:13048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7608 -ip 7608
  2⤵
  PID:11948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 10748 -ip 10748
  2⤵
  PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6612 -ip 6612
  2⤵
  PID:13396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6612 -ip 6612
  2⤵
  PID:2428

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\744000.dll

Filesize
69KB

MD5
2cc3e2d2e0b54ab90d4af4ce0331e148

SHA1
98f852312224f8a20bea665132e68c7d6e61ca93

SHA256
c32f1b6ee5a9e25d26d115571296570ca22c0c325afc0900e5d5d24efbc35262

SHA512
e61655fe27667ee42056d1494c275fed45978b898e1dedd378409448e76579ada062f20ac3a8fc4f9bd7f9b8ae6fae8f4da951dcf35f1b585a23a699d0dcbe4f

Download Submit
C:\754100.dll

Filesize
104KB

MD5
474ed52de429540c8c49b6b2d322eda8

SHA1
51b39f4e61db283eb4b51bfad6cc75e0887c21da

SHA256
ae1ac4b227ae40b01d2cbccf7968155c14c5bd83b03a729ee8a90cdfbc530fe7

SHA512
a56677bd780b79fafc58068e841671230064767b5bb923a35cc3e02b2949af8be2c2406f625de271d5ec17ed2e34308fde6a9c87fb1fa720e074bbad253c6ce6

Download Submit
C:\Program Files (x86)\5ba632a2\jusched.exe

Filesize
58KB

MD5
b5413f0447cc3b67528be30cb839898a

SHA1
8dd92764ae830cc713d92e7bbdfb50a35387c9be

SHA256
11b0ddd9b084d9a6b26aa517907fc43ace1d6ce362998cd61f702a726ec620be

SHA512
9975b46f5d37d4523a21732d8822d077cc4d017f679b73bbb1feddf85ed13492648d1f8795f421d5ae91b4301be3d5ab4b805eb38ec89d46760119007792155d

Download Submit
C:\Program Files (x86)\serveur.exe

Filesize
270KB

MD5
7cca2c09685f1b76e64d710096e17f2f

SHA1
89448deba857c2f43811e1c351d4c066475ad23f

SHA256
f67c75c2a2b5ff48fc8223f4731cef48cebe69e0bc72e16a7df5e4092eec7126

SHA512
9d14bd5b8e2e80cbeefdf9140e32ee27d486ce4c9425b772236a5848fea82a01139061a686155c1e5b567f328adc374160cccabccf89ddfd7eebbbf079613113

Download Submit
C:\Program Files\7-Zip\Lang\lYyVETy.exe

Filesize
1.9MB

MD5
00db28e5a7412cf4a6f87f8589244cd1

SHA1
49a8344dac9b27ebe4962f4fce5c7e2ef9c023f7

SHA256
27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c

SHA512
3c860c48ae7f37b023299455830310390c14ad69fa1e241e9f94041b9797ca415841c4b541b105b6ac84327015a97b1664aa098d3f2f4d918341e2dca65d60ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lite.com

Filesize
48KB

MD5
eda88f7ae36ded31fec80c7aa05b8f4e

SHA1
c75faa77cf874c55592addbd09b7b82a4b42139c

SHA256
d6329c34bcbbd51ad2ba703fbe2c437b06d698e7a26f6916390d9eab1b733fef

SHA512
fb6f5553c191317b60cd508876ab06f907e6a24be26ca56a3198335f28ccbc5386d5d924a1859942864ca67cbb05c7bbe53395564caa83aa22d2b5d51f8d43fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\Kazaa Lite.ShareReactor.com

Filesize
85KB

MD5
ed9c99d57c7f75f2a3e2632400e68b7d

SHA1
d444d025804ee1f398b06d88a9d97ec25c65dc33

SHA256
2cef2479a2607d4a470ee5e8a5c7f51211e2d91b42f7a6b00ef22103ff5697f4

SHA512
e3383e42a49f2329f54996ad28ae72eb036eb5a090ec2396c7fff088a525c524f7673f3c3af86d8772f2368ace9954bf028147281e8a30c85229c1966ba4ce37

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E58A071_Rar\240920-pskajaxapp52271c0a322dc8086b4773cada12947eef8b84ba166ca4be515f021523217e59N.exe

Filesize
115KB

MD5
b01ba38c120b8b1f5963e6b47ff12a1e

SHA1
10d2cd51fb97197949310ee9595f9e79d5392105

SHA256
ec9bbb5bd1161656917028baabf805b7db31b88864f787de09a5fbc9ae65a0cd

SHA512
21902e14f3c5baa34e7b2bdb77d09f6051af95a5690c8ef349cb4eb1f07baee8a837a820fb2dbb861cfdcbc40000e53d414cdb96899e018aa93b4a9378f1b92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDE3.tmp

Filesize
29KB

MD5
0a40b228986078563782af17403b4004

SHA1
407168ef3239934302926a4d2511ce006a0b45d8

SHA256
5bc50c26454e7714c1d86d40d4d5c6909807b85fb7f0f42e5dedb338aaa54bdf

SHA512
59f271e16995af904795f3b09b839ae757cf9102109133f1ec8618207f3d3057195733b23e6400faec5a16e5d3c182513cc14e3d6be5abf92481b4b7db87b0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp53B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_bz2.pyd

Filesize
83KB

MD5
dd26ed92888de9c57660a7ad631bb916

SHA1
77d479d44d9e04f0a1355569332233459b69a154

SHA256
324268786921ec940cbd4b5e2f71dafd08e578a12e373a715658527e5b211697

SHA512
d693367565005c1b87823e781dc5925146512182c8d8a3a2201e712c88df1c0e66e65ecaec9af22037f0a8f8b3fb3f511ea47cfd5774651d71673fab612d2897

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_cffi_backend.cp312-win_amd64.pyd

Filesize
175KB

MD5
d8caf1c098db12b2eba8edae51f31c10

SHA1
e533ac6c614d95c09082ae951b3b685daca29a8f

SHA256
364208a97336f577d99bbaaed6d2cf8a4a24d6693b323de4665f75a964ca041d

SHA512
77e36f4fb44374b7c58a9005a1d7dfeb3214eabb90786e8a7c6593b5b1c7a305d6aa446be7a06ae0ff38f2bedea68cacb39053b7b7ec297bff3571b3922fd938

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_ctypes.pyd

Filesize
122KB

MD5
c8afa1ebb28828e1115c110313d2a810

SHA1
1d0d28799a5dbe313b6f4ddfdb7986d2902fa97a

SHA256
8978972cf341ccd0edf8435d63909a739df7ef29ec7dd57ed5cab64b342891f0

SHA512
4d9f41bd23b62600d1eb097d1578ba656b5e13fd2f31ef74202aa511111969bb8cfc2a8e903de73bd6e63fadaa59b078714885b8c5b8ecc5c4128ff9d06c1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_decimal.pyd

Filesize
251KB

MD5
cea3b419c7ca87140a157629c6dbd299

SHA1
7dbff775235b1937b150ae70302b3208833dc9be

SHA256
95b9850e6fb335b235589dd1348e007507c6b28e332c9abb111f2a0035c358e5

SHA512
6e3a6781c0f05bb5182073cca1e69b6df55f05ff7cdcea394bacf50f88605e2241b7387f1d8ba9f40a96832d04f55edb80003f0cf1e537a26f99408ee9312f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_hashlib.pyd

Filesize
64KB

MD5
d19cb5ca144ae1fd29b6395b0225cf40

SHA1
5b9ec6e656261ce179dfcfd5c6a3cfe07c2dfeb4

SHA256
f95ec2562a3c70fb1a6e44d72f4223ce3c7a0f0038159d09dce629f59591d5aa

SHA512
9ac3a8a4dbdb09be3760e7ccb11269f82a47b24c03d10d289bcdded9a43e57d3cd656f8d060d66b810382ecac3a62f101f83ea626b58cd0b5a3cca25b67b1519

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_lzma.pyd

Filesize
156KB

MD5
8cfbafe65d6e38dde8e2e8006b66bb3e

SHA1
cb63addd102e47c777d55753c00c29c547e2243c

SHA256
6d548db0ab73291f82cf0f4ca9ec0c81460185319c8965e829faeacae19444ff

SHA512
fa021615d5c080aadcd5b84fd221900054eb763a7af8638f70cf6cd49bd92773074f1ac6884f3ce1d8a15d59439f554381377faee4842ed5beb13ff3e1b510f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_queue.pyd

Filesize
31KB

MD5
7d91dd8e5f1dbc3058ea399f5f31c1e6

SHA1
b983653b9f2df66e721ece95f086c2f933d303fc

SHA256
76bba42b1392dc57a867aef385b990fa302a4f1dcf453705ac119c9c98a36e8d

SHA512
b8e7369da79255a4bb2ed91ba0c313b4578ee45c94e6bc74582fc14f8b2984ed8fcda0434a5bd3b72ea704e6e8fd8cbf1901f325e774475e4f28961483d6c7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_socket.pyd

Filesize
81KB

MD5
e43aed7d6a8bcd9ddfc59c2d1a2c4b02

SHA1
36f367f68fb9868412246725b604b27b5019d747

SHA256
2c2a6a6ba360e38f0c2b5a53b4626f833a3111844d95615ebf35be0e76b1ef7a

SHA512
d92e26eb88db891de389a464f850a8da0a39af8a4d86d9894768cb97182b8351817ce14fe1eb8301b18b80d1d5d8876a48ba66eb7b874c7c3d7b009fcdbc8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
a58f3fbbbbb1ecb4260d626b07be2cda

SHA1
aed4398a71905952064fc5da1191f57846bbd2d6

SHA256
89dd6fbea61edb8f1c934b7e5e822b4ce9bea939ff585c83c197e06a1fd8311a

SHA512
7fd371818932384b014d219bb318fb86c1787f3a58a3f08e904b7bbe3486f7ad6bc3776b335c178658c87efd663b913a14fb16d1e52198801659e132fa830d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
adf9263b966cea234762c0782aba6e78

SHA1
e97047edecf92a0b654f7a25efd5484f13ded88f

SHA256
10cd6bf518350f93ab4643f701efdac851cdd7a26a0d8bcabfbb2bd273e1f529

SHA512
56c09d786f4ba401d4827da4148d96b140f28f647a03ac6ab94f64de9be4c75ecb8b583efad28aa0c51356978caa96f0cb9d56cc4883ff42c1ee7f736e481c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
28840d7d1ea0a873fb8f91c3e93d6108

SHA1
0856b3ceb5e300510b9791b031fffceaa78ee929

SHA256
d3fad206a52d9b1dd954c37a45e63e691ebc7bfe8af27a87553203fb445224ce

SHA512
93596ec710bd738fcbddf4db0f102f537355bbbaea347d2314d62064d5110cf1deb3ecb6d1e0922f019351acfe2d1c694684d0e62e22c004d5a20a6cae5c7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
586d46d392348ad2ee25404b9d005a4e

SHA1
4bece51a5daacf3c7dcff0edf34bcb813512027f

SHA256
2859fe2fe069e5f4300dd0106733750b1c8c67ee5d8788c4556b7d21c6da651d

SHA512
daad865dbb4ca7542d5bd50186ffa633a709bfe1cf79d0d98e738760634da49afef1c418357d9482dbe33fe995847e05f653b6e3bba00aa42badce47dd072115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
221f63ee94e3ffb567d2342df588bebc

SHA1
4831d769ebe1f44bf4c1245ee319f1452d45f3cd

SHA256
fd7c5503aa81dea1de9baee318e6a53663f7a4634f42e116e83c6a0f36d11143

SHA512
3d36175eaa6dc035f2b26b5638e332408579aa461d663f1cf5a3e9df20e11a7cca982b80c9dcf35ba9a8bc4203ac2f64f5dc043b60a6f16720f4d4ce052096c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6ee268f365dc48d407c337d1c7924b0c

SHA1
3eb808e972ae127c5cfcd787c473526a0caee699

SHA256
eb50cc53863c5a1c0b2fe805d9ecefef3f2dbd0e749a6cc142f89406f4ffdb10

SHA512
914da19994d7c9b1b02adb118d0b9cb2fdd5433ee448b15e21445ecfc30941045246b7c389a2d9c59fb6487bb00426579b054c946e52982516d09b095279c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
852904535068e569e2b157f3bca0c08f

SHA1
c79b4d109178f4ab8c19ab549286eee4edf6eddb

SHA256
202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225

SHA512
3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
cdfc83e189bda0ac9eab447671754e87

SHA1
cf597ee626366738d0ea1a1d8be245f26abbea72

SHA256
f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007

SHA512
659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
c79ccd7c5b752b1289980b0be29804c4

SHA1
2054a8f9ebf739adfcfc23534759ae52901c189f

SHA256
8e910589f3f9a27ed6ce1d4f2d579b4ef99cfa80c0bf6f59b48ba6556e1578a0

SHA512
92de7aec7f91f6f4f7cc3dd575b11ea0f4fe516682ba2d05d605380a785597bc953b575cf0ff722980f0849a65d8c4a14c7717eeed8631a7aac0cb626d050e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
aa20afdb5cbf1041d355a4234c2c1d45

SHA1
811f508bd33e89bbd13e37623b6e2e9e88fdcd7c

SHA256
ef6657aac4aa97a57e034fd5baf4490706128ffafce7c285dc8736b1f7ee4d09

SHA512
06740552875ff2df234ec76f45cce3c66b7d5280a3d1b90874799780ff534437e5dffacf9e40bfddc301507d833235e25eab8119ac80d2587a43a80d4f0068b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
f8203547595aa86bfe2cf85e579de087

SHA1
ca31fc30201196931595ac90f87c53e736f64acf

SHA256
e2d698823ba78b85d221744f38d3f9e8acccd0eedbb62c13e7d0dff4a04bd2b1

SHA512
d0818ee6b1a775793305828ba59c6c0f721d3fe2fcaca5bbfe047f25a500243ab4486c368302636e1c3934becc88c8178606a29871fe019d68b932ad1be3ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
0ccdef1404dbe551cd48604ff4252055

SHA1
38a8d492356dc2b1f1376bdeacab82d266a9d658

SHA256
4863006b0c2aa2a39dff2050b64fbbe448b3e28a239e9e58a9a6d32f5f5a3549

SHA512
0846489a418d2480e65f7bef4a564fe68fe554f4a603a6f372ddd03eed7ee6299649b61172a7a9ca9a9500a924c2642493cce1040fcd6601d5862c248c902e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
f1d0595773886d101e684e772118d1ef

SHA1
290276053a75cbeb794441965284b18311ab355d

SHA256
040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a

SHA512
db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
3abf2eb0c597131b05ee5b8550a13079

SHA1
5197da49b5e975675d1b954febb3738d6141f0c8

SHA256
ff611cc2cb492c84748fa148eda80dec0cb23fc3b71828475ecea29597c26cd8

SHA512
656213a8785fe937c38c58f0f01f693dc10dff1192b232f00fb18aa32c05c76a95566a9148462ea39b39f1740a7fee1c9ac9a90c6810f38512b3103d18c89b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
83a0b483d37ed23c6e67896d91cea3f0

SHA1
6b5045ed8717c5b9f50e6a23643357c8c024abdb

SHA256
d7511eb9191a63eb293af941667aa2318fa6da79f06119b280e0b11e6b6b1d25

SHA512
dab0203fc26c0249b7a8882d41365d82690d908db359c3a6880f41a1c4eebde51ae084bd123864c32d8574cb0a22cfbc94bcd8e33b51f37f49575e2b9de93807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8b0fe1a0ea86820020d2662873425bc4

SHA1
3c2292c34a2b53b29f62cc57838e087e98498012

SHA256
070d8827798ee2aa4c2dc70d7faef8ef680eca4c46ecc2dad3ce16380cab1f82

SHA512
0c29c8fae6c5a8de2f0047cbe66e0b2ae7c30cbeced6df1ea2e472ba123bf9e542d9e6cd8eb06b4f0cbe2e343b7929cf25bce1e79937076bf1d0480d91d2c9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
eaa2228507c1fbde1698256c01cd97b7

SHA1
c98936c79b769cf03e2163624b195c152324c88a

SHA256
4297033ef8061c797127f0382df24f69264dca5c14d4f5b6cd2bcca33e26c1f5

SHA512
8319949a1e1acca312dbe99dfd9eedd1b5e4a13946a6ff829d6792d72f0a3a618ce10140954c035a5390a5a6e3b8ae2f23513629007cd3b7a88d5fb6fd81d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e26a5e364a76bf00feaab920c535adbb

SHA1
411eaf1ca1d8f1aebcd816d93933561c927f2754

SHA256
b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15

SHA512
333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
82e58246846b6daf6ad4e4b208d322d4

SHA1
80f3b8460ab80d9abe54886417a6bc53fd9289fa

SHA256
f6eb755c146d0a0ebf59d24fb9e1e87dc0220b31b33c6acbc8bebaf31493c785

SHA512
e1a032846c6110758fbc8eb84dbd3d228e83b3200bf5820c67d9740f6f8c7e926e4c89b92e8d34721d84fd597ab64455fd3029138e35f22329af23f599afdadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
650c005113599fb8b0b2e0d357756ac7

SHA1
56791db00766dc400df477dcb4bd59c6fa509de6

SHA256
5f16a1131c8f00ebbe3c4b108bd772071a2d9b4ca01b669b8aeb3ffb43dabcda

SHA512
4bc54ad70b75f550e623311dc48ea0fd8ff71207f64127379fcd48027ee2458d27a2aaa454637b4f09d713cc9e1f2cc09bb6cd55b0c6b7ed25e52cb46827fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
f6afbc523b86f27b93074bc04668d3f2

SHA1
6311708ab0f04cb82accc6c06ae6735a2c691c1d

SHA256
71c0c7c163d1a3d35e74f8d7299eb38ef7268af1fa276e9a3966761212c570f0

SHA512
9ab0c2d025525fe047e27769c3b2be7526ad0d0cbe76eb1e3a84dc2cff60ab3c4a218388892f600f7b3b003909ae133b0e7da19c9ba96b624fa8f5123c3a97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
445571331c2fc8a153952a6980c1950a

SHA1
bea310d6243f2b25f2de8d8d69abaeb117cf2b82

SHA256
1dda55027f7d215442e11c88a82c95f312673b7e7454569e5c969c1c24047915

SHA512
853797dd50d0ad6018e7e7d11aefbca61653baa8c60b22fdd34133fce6bf6f02ed0c747457c2783e699e8e7097f14429286904267c13521ee9cb255d3ea79806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
5da5938e0d3a9024f42d55e1fd4c0cd7

SHA1
7e83fec64b4c4a96cfcae26ced9a48d4447f12b7

SHA256
0ea1cf78c0be94554ff7cd17a9c863c951c1e1eaa54191d7f2b0e043697c8d00

SHA512
9a302c664bfddf509c0489af24a238b15612802c7d6dccbbfb57b39691b80af79ed35cab31e84424a34e0de32179054277ca09a0457b90c72af195f8328c82dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
c1919eacf044d5c47cc2c83d3d9c9cd9

SHA1
0a80158c5999ea9f1c4ca11988456634d7491fcc

SHA256
9b82643497092524e0aed6cfbaf7467849cde82292313bbd745c61ed2fd32ea8

SHA512
ad2ccabbdc769cbeb3c0b4d8d647647c8f43d3c3f3c85ab638ce00665379f9a0f5bfc24fe25184003d180143c29da0c36c6d2c7ffeae68a81c27b90f69336cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
566232dabd645dcd37961d7ec8fde687

SHA1
88a7a8c777709ae4b6d47bed6678d0192eb3bc3f

SHA256
1290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96

SHA512
e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
0793ca01735f1d6a40dd6767e06dbb67

SHA1
6abea799a4a6e94d5a68fab51e79734751e940c5

SHA256
cdf7915f619a728fb64c257bfaa8257ee2353bf3c0b88214d5624931a1ac247b

SHA512
33f703cea3b6cef3fcbd973812635129ef204c2b1590ffe027dbd55ba35cbd481cf769de16634bd02acbdbd59e6af52cad0964d4d36327606c1948f38048703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
eeafb70f56cc0052435c2268021588e9

SHA1
89c89278c2ac4846ac7b8bd4177965e6f8f3a750

SHA256
b529fed3875c6f4eecf2d9c012bc0e27cb2d124c2dd1da155f8337b4cb002030

SHA512
ce211b79f4d0dc942dbe1544d7e26e8e6f2c116dce6bc678aede9cb2104771758c0bd670e1eca2d5a9a6728346d093f44459e9791317b215c6ff73e47d1203f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
17680cd553168e9126ca9d7437caecc7

SHA1
8acafcb5f01d3b01a7c48a3b91bdeeb8bf1cf841

SHA256
6438c683e376583f6368c582ce3caab274cf3f7d7320e7f6cda427ba338847ca

SHA512
146ae3230c213ffab4b2c7805374ccb5f53155266ba9213d8f22e073deef0bd733b9488c2091c3db037c1d1dfaa4bbfb90e2afd041a447603c25690681239ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
e9d4a1374a200a6e195e3c5ab42e6bbd

SHA1
c0c79309a6ab14592b91087bec0cc519979e5ebf

SHA256
612df2aaf3435c2be575581d1b2deddcef33f1b53179acff3e4ac24a0fcd3d50

SHA512
1de9d70036eb5211184b3b40f671608cf75b539f6fd36b812facdd9722927eb8e5c4c579db6a360003d06cc139f2ddbda8d19de17cb3a36fcfb53e462a9d7b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
10a42548fcf16732d354a6ed24f53ec5

SHA1
b6b28307c0cc79e0abef15ed25758947c1ccab85

SHA256
ca3e5b21f83d87a958ba7934c5e4d8e7939b2e9013fe2deaeba1f9088b4277bb

SHA512
ecebb5973ecf8f34115985ae24061c29a9d943592389a4e8f215df7408c770a1f7c6c8927d30403d5c43814a4b64ac622ec018be02532f88dbbca6d6208266ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
5d3da2f634470ab215345829c1518456

SHA1
fec712a88415e68925f63257d3a20ab496c2aac0

SHA256
d2ed53111a652fde26c08504803f76301fce2fba04f33a7f250b5b2569e4f240

SHA512
16079ce0bcc9816297f23c95573bd52da08b29b90da4855b4315b3fa98947b1b35ffd30760064144f3f5647c27e0c1bd3aba623d17364fff45c9b2fa598a2ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
c74e10b82c8e652efdec8e4d6ad6deaa

SHA1
bad903bb9f9ecfda83f0db58d4b281ea458a06bd

SHA256
d42b2d466a81e8e64d8132fad0f4df61d33875449ead8d4f76732b04f74bbce6

SHA512
5cc4b0d7e862fd32e8374501d1b8798e369b19dc483cdb568915b48a956e4f0a79b1d2c59322394128a330fea7c939161a7af1787b4dc5f250e74f8df8805f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
e07a207d5d3cc852aa6d60325b68ed03

SHA1
64ba9a5c2ca4b6af03e369a7c2a2b3c79cac6c51

SHA256
b8fdf7893ff152a08fbc4d3f962905da3161b0b9fe71393ab68c56199277e322

SHA512
0dbafab60618ec0c815ae91994490c55878c904af625ba6931fe0ea80eb229c98e367623e472e3b4c0e27e0af6feeb4d2cdacd4c426e1a99a1291b41cc52f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
98bf2202e52b98a742f24724bb534166

SHA1
60a24df76b24aa6946bb16ead9575c7828d264b0

SHA256
fe005d1a7908e36d4fd6cb2711de251462c9bebf99e4060687df11bd0bbedc8a

SHA512
d346eaf8a966720e47099293d91f2856c816acb7e5f952e6700e007ba176147218798648a4a3e1b928e7a46622ef3603aa4d909113fb02d5551c40ed0e243441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
6edcd747d5beb5d5b0550b9e8c84e3a3

SHA1
8b8baf8f112ac0a64ee79091b02a412d19497e69

SHA256
d5b5c4ee347678e60af236c5e6fd6b47ad5786e080d14fdb11af0aa5740e7760

SHA512
1bc72f7b6b13374dab05f8914dc96f194bfa86cad4549a3fca1dd79485cfdbe1d45053f197e2bdd280b8787edcbd96c4c74dffdf044c99520148d153bb0a438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
374349666a3b260411281ab95c5405a2

SHA1
42a9a8f5d1933ec140bd89aa6c42c894285f14d1

SHA256
2a6f53be6e8b8fabbf8fcc2ac1224f70628f4ab35e0b36612a6728df7685d56a

SHA512
5c4a79503f83eb8e12a38605c1ab2cf6332f7ef845dc7ac5c34dc71cb86e903dc002c91a7142a56433fff97ff21ec926c9cc0be92a31ecffe2a7c5e042d6fc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
06f29e2e2ebc8e3d8d0110a48aa7b289

SHA1
b9047a9aa94d25f331e85aa343729a7f3ff23773

SHA256
6c24d050afc07bc5d2ba5eb07840345569b52e97442bcc7c4413fccedc11e6c4

SHA512
9de0b3f3ab2c0ed61920d99e3a931bbc08015d848907bf4cd5cb2c81017de4d23f2f8977a3a7895b92208ae7e5753ab8c4b00c00e375da005b432b5534ea7838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
a1002f4a501f4a8de33d63f561a9fbc6

SHA1
e1217b42c831ce595609cfde857cd1b6727c966d

SHA256
fe94985959fe310cafa1eb3e32f28001ef03afefd32497d0c099eb9393bf6f4b

SHA512
123a5ebca5d8a1292f238bab3bd8cc12ab3157672a904361a72f5f7177f4ce0dd4708fdfda34f2ed0b4973ad7d92bc69b85651687a4604def4bf7bdca5d49b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
9f15a5d2f28cca5f4c2b51451fa2db7c

SHA1
cef982e7cb6b31787c462d21578c3c750d1f3edb

SHA256
33af8b4a4f1f9a76d5d59fdf634bb469ca9a830133a293a5eef1236b27e37e63

SHA512
7668d42fd8cce5daa7e0c8c276edd3bda0d4ee1c5450fa8d46cf7600f40b2f56e024f98157a86e9843d0b7d33cb281ebdca3a25275e08981f5d9cbaad1cfe371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\base_library.zip

Filesize
1.3MB

MD5
763d1a751c5d47212fbf0caea63f46f5

SHA1
845eaa1046a47b5cf376b3dbefcf7497af25f180

SHA256
378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7

SHA512
bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\python3.dll

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\select.pyd

Filesize
30KB

MD5
79ce1ae3a23dff6ed5fc66e6416600cd

SHA1
6204374d99144b0a26fd1d61940ff4f0d17c2212

SHA256
678e09ad44be42fa9bc9c7a18c25dbe995a59b6c36a13eecc09c0f02a647b6f0

SHA512
a4e48696788798a7d061c0ef620d40187850741c2bec357db0e37a2dd94d3a50f9f55ba75dc4d95e50946cbab78b84ba1fc42d51fd498640a231321566613daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\ucrtbase.dll

Filesize
1.1MB

MD5
a9f5b06fae677c9eb5be8b37d5fb1cb9

SHA1
5c37b880a1479445dd583f85c58a8790584f595d

SHA256
4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52

SHA512
5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\unicodedata.pyd

Filesize
1.1MB

MD5
b848e259fabaf32b4b3c980a0a12488d

SHA1
da2e864e18521c86c7d8968db74bb2b28e4c23e2

SHA256
c65073b65f107e471c9be3c699fb11f774e9a07581f41229582f7b2154b6fc3c

SHA512
4c6953504d1401fe0c74435bceebc5ec7bf8991fd42b659867a3529cee5cc64da54f1ab404e88160e747887a7409098f1a85a546bc40f12f0dde0025408f9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMcsEMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\swgb.exe

Filesize
105KB

MD5
6b7d883b6364e15d8f3971d053a59cbb

SHA1
4f853a13ef128e8421278335227236d6bcff4171

SHA256
5d91cc80a9519cc1d9aad0434d5e7ab0f5b5fd66717ad8f7e77ea418741f8b76

SHA512
ca331e4976e6b42664a21aeffaaf6081d94ffa686c9e46caa96b10b131321200c76717e69eea96171d23efe102ff037e3dd7af3772f40958cb69c9ee19c75dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywgoqplxpgxqlxx.exe

Filesize
168KB

MD5
eda2857f7c47efe1aa3454e26bb238af

SHA1
b79b3974a6c43a3e6a1b7b1d30f4c1f0659e88fa

SHA256
cac7b19648d7e6373fd787a4224213afa58355a651bf0df7dfdaf7fb3f1a9dc3

SHA512
a553154b3e7ce8c4dbd4159c66475f99c91b9f4e0944a7a7196d585c51ee4038c9b8c4883f13ca78ee9505925480e44d6c1e2aca9c6a599bccb9f63db4a6e992

Download Submit
C:\Users\Admin\AppData\Roaming\VIP72.exe

Filesize
507KB

MD5
ed9d5228f09a3b6ab41654ae4535e13b

SHA1
39d26043d0e2cba9b3ec9fbfe0cc920a3bb45665

SHA256
98b0708f87e441e6ab181053cf6808ebc7671134624feb047222a9324a9f7847

SHA512
f93e7e2dc089b771079ab91667976ab14e42d07bab0468fa0b59d7d701cee85d615284e10549538ebd1cdf38c9c8555cd81d4688affd62ac4aa92cb570c53f48

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
649KB

MD5
e45a79fdfd9c1823eadd96bdc52cbf30

SHA1
5124ab3e7a273485a4e64622957add0c07047f19

SHA256
d43131875d36af3deaecb0fdd75ef3f9c94510d0685cabfe6e56ce72e139b795

SHA512
efc5301117aac1339deff299835e070d049ced5d8a7de07adb2ab353fe2f4adc6f9a5c88ba8d7a51bd3826a5e3ca9e616c59b2eb5db1af51d12e349fef1728ec

Download Submit
C:\Users\Admin\Downloads\240920-p3esssxenj1479015cbe6fb3998c190dc42f3165066bf3191f841e0bb92df6484c0611e70cN.exe

Filesize
590KB

MD5
f87998129273ccb8fb510f1360fc41b0

SHA1
8247d570ba2ed745c9f71953a36743bcc03e3088

SHA256
1479015cbe6fb3998c190dc42f3165066bf3191f841e0bb92df6484c0611e70c

SHA512
e4c270fa21461db3dc0913e981dd124997f549346382f8e522795356ed509ad837609837dcd305fc7a993f046a11dc93ca72963a754b07460eae32574d67c05e

Download Submit
C:\Users\Admin\Downloads\240920-p76gbaxgrm94e1244cd103c4d6e8b961ffcda9f71b7359f665535b3a0170f399f307089effN.zip

Filesize
1001B

MD5
f9575614387b2862d4e678197b9a7226

SHA1
fc892009f6cd21dab879a2d8856fcb4e835f1534

SHA256
d50d12d8bc3d004db64660548b9562d0eafa8ef37892d8ffb5c042c5ab9ed98f

SHA512
7ce759088c4f939de6ac4b8b526d96fd928c98f08d8c23254d9ed9e3f2ef2b39a2b46b89d0b32efebc19485c09b543ad0a7e7529fa6e75ef5a98d7b05be14b10

Download Submit
C:\Users\Admin\Downloads\240920-psfmcawgjcmain.bat

Filesize
37KB

MD5
3c8a495ee741b9c8cea966ae960bba48

SHA1
190cabc05240c6fc20d2dcfefe7df306101e97ea

SHA256
3863fe1d3a3cae271b02417e5f3c4ced2f227c27e55905e198fec820a19eaf62

SHA512
5b86790dacff4d3cbc710da2915e546f4ac5cb327529340d6e79932e091ae01ff474ae3f239ea816051d38610399ad95b060dccca761de6e064cbb5bcfca454e

Download Submit
C:\Users\Admin\Downloads\240920-pznxasxdmk384601ce9d5b15f2fc46f59ad2ea668675787b217565bc141291233190c25390N.exe

Filesize
1.2MB

MD5
6fa29f3e663dabc30fb51071782d4080

SHA1
1a50d2b4606500a9fda12fa1607128c38ce65fde

SHA256
384601ce9d5b15f2fc46f59ad2ea668675787b217565bc141291233190c25390

SHA512
e223524c17dc86d43f04561cd874cc19bbeb08c107be90ff0463e71c5c291c2c5cccf9cfb74f871573b2752973044cfda712450607980e433188accfec1bd1db

Download Submit
C:\Users\Admin\Downloads\240920-qf6hnsxhleRadarCheat.exe

Filesize
7.5MB

MD5
313f5cedbe84b5c28698cc5b2950577a

SHA1
a0aeec1d939ccb1f9c9f2b4109f050eb877738e8

SHA256
321cdb97d4a304027e9990a9825d00e66e677e23f6dcca1b6ca962e0bfe745b0

SHA512
539dc0aa7954c79d5aa6be55769b4df3ebbe1618008da807bbf8bd31a7b1372f8a26e56cbd919cca1e096c8500f2cc89e3a1803aa0cb968a96766021e7a4b242

Download Submit
C:\Users\Admin\puazui.exe

Filesize
100KB

MD5
1e243b602a358c3db2192cc9ff7367e8

SHA1
31a2184e7bfca5155bec1d015886fbeb2235534c

SHA256
6cf97a4c1dcb8b314d8626ec3d0584a6e97a581ea5e67fcc85aad4cb402f5ca2

SHA512
a6ed7ba1f3e5b6973331e50e1314c39d2f8b6e8d982fd2a4b98d17ee7a257bb15ff1edfb981127d00827efb4317a075b9c722f85601b5a1a50ff424295c9a108

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
121KB

MD5
b168da0d56f16608ae99b7ea3f3ffcd5

SHA1
e03dab1297b238dfa6b0a9e315f156214b7c1117

SHA256
07a63f9539baddc8e930039e08dc5cc91b4b40ed2d603cb67bb1435be5b5d8f6

SHA512
7d48f3a817a8fcb295b983f29962dc5512c3db4648af6b415a871dd129c92bc8ad7b813bcb32335c5f42ba347e6ccd9d61f2f210da9082d2099ece164159df0f

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
206KB

MD5
c8f00826da454b322739048a4a96bdb1

SHA1
5ada71477bd354958c43314c3353e9967dc8fa07

SHA256
11a86df3a35bcd88d2d7b6b7aeb65c9962887f0889fe28e81994ee97dcd3669f

SHA512
338e3bcc8c56acf53283cc49f72f11dbf18abeb1ac45d756fa1d9ee0673cdbaae48cf3bb013f08b7f65e09be481acff5782480d310d4d52e2b6541935e580070

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
95KB

MD5
71389705deb5209d6248a67f1a88f2f0

SHA1
fe06d929ca98476f9a9c998132da5b2f95fa3960

SHA256
72a34d9d712254e77b9bc3ff400bdfade13c6a0dd1e77a2dceed440333bbd62e

SHA512
62f2fce1d36da2e5f23ce63a60adb37b6667430fde820c4ebaf238f7f617ef311a665d12471eee8b0087972b91f44c6f9169cfa73834003f31221b5711239a89

Download Submit
C:\Windows\SysWOW64\Bkhceh32.exe

Filesize
479KB

MD5
aca0cd360bd90644a0076d86e9476100

SHA1
6e28e0e28064893d31e659ae3afb26d18c1acc28

SHA256
e74a32e009cb8730cd1f3d529ca944ec72215b4b4a075b2e0b596608db66a52a

SHA512
7a9d749ccdfd56b64ff11018674ab7cf0101ed6771de8f649e0e001422affc3c6f87c96d2b1fe0ef0a82277fc969303708b01a6fc05689e6387e06a925ca837e

Download Submit
C:\Windows\SysWOW64\Dbdjofbi.dll

Filesize
6KB

MD5
cbe564309468768fdc7f814887736a69

SHA1
1e548506783464d7927f1ea120a7ca13eabbd10c

SHA256
78fb007142ddaa544efec674ebba794f985cdbbce57a3f882ffa21828e27d676

SHA512
7615de05a89fd394bc8d8dd79a059619a4a89222b6533fc4e6f5fdd7aa239507fbcf093b94d21cb54b2d184222f441c83258dda9bf318d7c1b74b08da98bda33

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
144KB

MD5
a8e2d529b198e9c74601ea24de7776e0

SHA1
575b6e46a732194a75fca7bfe31b5cbfd0710f14

SHA256
49294e7aedb089512f1d04e7a823837ff5d0740947f7c95f71b89f69fab16e70

SHA512
4a923b9505171792df272a23c4ddef3ba6e203cb96196d19eb251644b929a2de105f72778b22a833d7b1dcacbb0659c12f23b5dfa1fd23a23e5e61bc28bd015b

Download Submit
C:\Windows\SysWOW64\Ekfjcc32.dll

Filesize
7KB

MD5
60cdda522f6690c1840a687f1bb43917

SHA1
39c6103e9503ac698433b138929e3bef8d961429

SHA256
f86450b9ac96b6d1a75a8683fdf2c220fde2f81179a16f2daec76f439abd9710

SHA512
b96c927cfdb1f101b2a5f3db9979dec7f94e3f0a12778549c8dfe363f47ccdbbce6461fb522674f83853fdb6a12ce3e7ac98a6a8b747fe4a85547df974a928a5

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
320KB

MD5
ea2e46c2d9828206b91c02146c0f8760

SHA1
f354d7367f7e47788bd12db034fa54c1510ef7b2

SHA256
b536db3bd2c005b90eb5867b319c0e99c5171518d0072a4547cef27120f0c07f

SHA512
3299ad7763fa7978d655f2429b4c96a659b84656b174bf989ca0bb18bb2cb24a41837b148dda09ecca053c833a9a310a57d95f245cce5d490f4f1194aa6c9e2c

Download Submit
C:\Windows\SysWOW64\Fpekmi32.dll

Filesize
7KB

MD5
6ffaeb10b20c12211008650ffd951a3e

SHA1
5ea57fb7e4edf8e1ee63b455aef6b989a3fd96ea

SHA256
7c93c70ca46d52931ef14fc3595601451eacc43ba9a09377a6141c6afb574c65

SHA512
38f05388dc8d3e4533a678d4842dce27b489d221ff073aa0afb7c37423906401a461d14f8f64d7d6459d578fe179ef9d6f71c8dac07277d40699c8a1005ffdd3

Download Submit
C:\Windows\SysWOW64\Ljkghi32.exe

Filesize
320KB

MD5
215ce77be58ab1a852a9f7ac5c82226e

SHA1
00ccf2bb99f3b3ca2a4396aacdccb084accd4fd6

SHA256
b770c91170c1e854b6eabc4a6af3609b535a5dffaecdc70c20fb937c363d087b

SHA512
5c797b22d3a2ae75cc49261e29e8d5a577f9b7fb80e9b60844873f8f577f68c9c16ed607c481ae1c8e0d7ee9e059b21669e8f2244cfbd8ee9c8bd34007e110a9

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
273KB

MD5
0cbedb5d911423c55e89e675070f32c7

SHA1
6e0d9313543a657b1993c39be47c4e39d7d2a498

SHA256
c80666f05df2fb2d9f1709b732d3e33bb04263b522b596e18ad0ae609859835a

SHA512
08894ae7638ff20c28f89ba9a8c44442e4e62bc3bc6bfd16ce59499c2924473d8909396b83678733da68413bae4b3f66317d631d6adb9eb0875ae4d034142458

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
144KB

MD5
008b79d94e2230723c5a981efb03005d

SHA1
f1d62f74823e275dff2ec3266ef396c46a238e94

SHA256
c0de24d354f0945b5bdea8371afb113c2efc2ac2a818233acbeeb71af43e96e0

SHA512
f8581d028202166ed3595897b95209b7a656a14729f8d1962f49d58ca948f04c600066c5f25af69c6784a37ec16e0eea18373d872385cba1a30cd4d05e7c82cc

Download Submit
C:\Windows\SysWOW64\ntos.exe

Filesize
175KB

MD5
215adca078285352979059a573516e70

SHA1
a54957d86eff50ac22c0d894867efe7d260bec62

SHA256
3eb6b5ce216b1c8942c86dda965c1e23f5d703c5ca8a79e0cf72ecc13cd14da4

SHA512
72c429d88a1789069187409252ef60d870c351bc4757b3064b7303b63c2733cae7ba4bc8c5bb51874350d6d38ef5a2f679c506c1917993fb33f90cd0668d0a9e

Download Submit
C:\Windows\SysWOW64\rjejuydqga.exe

Filesize
255KB

MD5
01b1cc1f3b20721bb69646bff1d59c12

SHA1
c2aa7779c56062e5a79e7780a061f08b24d225c5

SHA256
475bd7cafae45c08f941db7259399aeac5c6e67eabf2d66ce749804caa29427e

SHA512
010825c01b619bbc71f5a8d828d8e1db94a07d54a8926ecbec1678b660d52f3ea05d4211a3b4ffb1cca627d64c645a0c08cc22e63d8b51b87f6e5081793ed26c

Download Submit
C:\Windows\SysWOW64\svshost.dll

Filesize
2KB

MD5
b595f9904102e0ae22b75d909b62e7f6

SHA1
92e2b4699cb29dfb0410cd39939f86939cd74de3

SHA256
3eff401c1ff4d5cbdce755bb3433189deb69fca2a4094fbd13a5518d13984b18

SHA512
20686e36bc4b9df8878835bd8b3d7511a31c956892907c165809a7e65b3525815389324f8c8d30453dd10ab0ae512e1de81f1b4eceeaeba60260d70491bb061f

Download Submit
C:\Windows\SysWOW64\uvtsfubf.exe

Filesize
84KB

MD5
eda10913cdc60c352847611bd3db5ee6

SHA1
17a65936683136e137908874414556e059827f26

SHA256
fcf36ea48c215a7b92c4298bc1866b15c7bdd85620e1fe0121d59238e4d04885

SHA512
477bcebb4a757ffdeb6fef162a597076aa5b56c71b10d496fe96a7d1e8e9c29b33089af5ee19d7645c8ed0b5968e9a2098b04cab3b1953bed55e93392ae083f2

Download Submit
C:\Windows\System32\nuEvWtR.exe

Filesize
1.7MB

MD5
6501aba6063c0bc0909884d54fb7fa18

SHA1
95be48065d0e969e31fab1407a2580187a3c7f18

SHA256
5a04836aa9015c95936989343131ef2cc4840a7b94d0aef68f8a8d72192f7a76

SHA512
60e714f7297ac1e0f5b561111c3c431392829dbc503a7094b6846a4f1871cf73abdd2fced7540d2bff4fbf98df5ae5b510507f72fe10c9d2e977c848e67244c0

Download Submit
C:\Windows\System\explorer.exe

Filesize
292KB

MD5
beb50ffa3e7fb20c6e6f2352c502cb13

SHA1
854f5f7e8306a2b7cf4c3ca5ae4b928db88725ba

SHA256
854bc0232a60615b936ce26d476850641fe62379002717018957f02b99b80a83

SHA512
1dd72cde47bab99abd576c8e88387a9587cac785df90d08ece79e02dbb3ad4954cb75066b6a4bdc789ef52c9390d881191bf11cb755747864e828b6f4a5d2675

Download Submit
C:\Windows\System\fRHTEZs.exe

Filesize
1.9MB

MD5
0b67d997d43818c4f81d12cbb8dd7fbc

SHA1
795dd203839d145aa37162df524a908ef8abbec9

SHA256
0a3e6c38969eb813a50ce163cdf0f5f9d52b8e112d1bc2e347ee497d36128939

SHA512
8e03b3bf03b6b4011b3fd7511da23190f3092808a9ebe4f25a43e7d7b1c3f9d8f5573a79106cca863023eae76280593e94e10333ad686565e8bc336c36470e40

Download Submit
C:\Windows\System\llfJYpi.exe

Filesize
8B

MD5
f6061fc6a7c99ae821a125be5d34b682

SHA1
cd62deeb3efa237b04e342e9238578fd370ae14d

SHA256
700c9a719b011e50437e2fa1d083a87e3381f4f178b8b9f9899f4bbf7503df60

SHA512
cc6b78f85499cc18661ced0cca34cc6f25b4f82783646930e95bb966639561cabaf13feff5c13c58aa77b6804729d0ec64978f44b9a573d37b44aa1603320b3d

Download Submit
C:\Windows\userinit.exe

Filesize
404KB

MD5
ed9f7a7c302a2f6481b205dd67dccd97

SHA1
827d2088375f7c7d7751bca9ed2700690f9c67de

SHA256
eac8382ea45ebe971d0ebfb9666ad61a5a39b8206bcdf9d8cef58a2da3abbe6c

SHA512
f52f9b246daa0038452ee2201767a048f8d89d9bf672cec2810ad91f6fec55818d834b87108305d29193999c32c5c8e1822d012d408339ac978ee6fce4bc3f52

Download Submit
C:\bttnhb.exe

Filesize
298KB

MD5
3faa54bfea231bd1944ffff263e155e4

SHA1
48f7fd91e1eb4507e997f9efa351e8afa4e8220c

SHA256
2c24b25eadb460da8959c3e0b30e3b3a50920c65f64d6d7643f1ecfa165eb83f

SHA512
ead39e36b4b870b4375c1b064364f739cd3b201b77b072e641815bd83077561e2ae0b7d8c74b0603f6dd8f81ea89921cef6ccb68eaca17d643f0f6a55f28376e

Download Submit
memory/848-486-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/848-529-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/848-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/928-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/928-525-0x00000000006A0000-0x00000000006A2000-memory.dmp

Filesize
8KB

Download
memory/928-478-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1124-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-469-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/1132-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-448-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1640-540-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1640-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-538-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1996-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-492-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1996-532-0x00000000006A0000-0x00000000006A2000-memory.dmp

Filesize
8KB

Download
memory/2052-482-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2052-527-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2052-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-496-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2308-534-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/2308-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-926-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-467-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2896-444-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2896-443-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2896-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2896-182-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2968-176-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/2968-245-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/2968-446-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/2968-468-0x0000000002F00000-0x0000000002F02000-memory.dmp

Filesize
8KB

Download
memory/3048-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-473-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3348-517-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3476-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3476-484-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/3476-528-0x0000000002040000-0x0000000002042000-memory.dmp

Filesize
8KB

Download
memory/3492-774-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-475-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3940-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-518-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/4192-530-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/4192-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-488-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4320-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-516-0x0000000002040000-0x0000000002042000-memory.dmp

Filesize
8KB

Download
memory/4388-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-471-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4392-490-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4392-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-531-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/4760-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-536-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4816-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-533-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/4816-494-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4904-480-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4904-526-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/4904-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5040-773-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5156-542-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/5156-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-927-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5192-544-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/5192-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5212-419-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/5212-417-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/5212-381-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/5212-324-0x0000000031420000-0x000000003143B000-memory.dmp

Filesize
108KB

Download
memory/5212-420-0x0000000031420000-0x000000003143B000-memory.dmp

Filesize
108KB

Download
memory/5212-344-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/5212-398-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/5244-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5304-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5352-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5388-979-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5416-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5460-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5520-618-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5540-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5572-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5632-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5652-620-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5668-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5680-497-0x0000000000160000-0x00000000001B4000-memory.dmp

Filesize
336KB

Download
memory/5728-734-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5752-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5768-422-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5804-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5852-735-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5864-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5912-736-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5916-505-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5924-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5956-738-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6012-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6068-739-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6092-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6508-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6560-658-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6632-659-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6772-660-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6784-799-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/6784-765-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/6784-764-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/6784-723-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/6816-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6872-696-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6924-693-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7036-694-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7092-695-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7216-775-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7248-776-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/7316-777-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7380-809-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7420-804-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7460-805-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7500-807-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/7552-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7620-837-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7668-838-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7692-839-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7720-840-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/7772-841-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7804-874-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7836-875-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7872-876-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7908-877-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/7944-878-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/7980-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8032-928-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8068-922-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/8104-923-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8140-924-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/8176-925-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download