aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769

Analysis

max time kernel
44s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Size

130KB
MD5

fda298f72a1983e613b35cb3becd6ad3
SHA1

624d8e8c2a0967300cd784b426f2458c260c1ec0
SHA256

aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769
SHA512

bda59edc47edd9cc5ed7e3cf36f47cd6c09155e78071ac35898cfc8257137cfa0df2d3e47a7523bd0d627e2b707134d8fd62033acbc9551e6b2324083a824efe
SSDEEP

3072:Yq6jDD70ClF9yU0kT1mNL9j3FRnOatS2OULqLUe2Mnu:Yq6jDD7v79ytk0V9j1ROatCUcu

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe

Deletes itself 1 IoCs

pid	Process
2856	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2528	msdbgcli.exe
3064	msdbgcli.exe
2896	msdbgcli.exe
1360	msdbgcli.exe
1972	msdbgcli.exe
2572	msdbgcli.exe
1316	msdbgcli.exe
2060	msdbgcli.exe
2124	msdbgcli.exe
2740	msdbgcli.exe
1616	msdbgcli.exe
2720	msdbgcli.exe
2076	msdbgcli.exe
1424	msdbgcli.exe
2256	msdbgcli.exe
1476	msdbgcli.exe
1512	msdbgcli.exe
568	msdbgcli.exe
2624	msdbgcli.exe
1712	msdbgcli.exe
632	msdbgcli.exe
1156	msdbgcli.exe
1968	msdbgcli.exe
2312	msdbgcli.exe
2936	msdbgcli.exe
1468	msdbgcli.exe
1516	msdbgcli.exe
1880	msdbgcli.exe
2596	msdbgcli.exe
1580	msdbgcli.exe
2536	msdbgcli.exe
1324	msdbgcli.exe
1932	msdbgcli.exe
2032	msdbgcli.exe
2192	msdbgcli.exe
968	msdbgcli.exe
1520	msdbgcli.exe
1668	msdbgcli.exe
1948	msdbgcli.exe
860	msdbgcli.exe
2508	msdbgcli.exe
2348	msdbgcli.exe
2788	msdbgcli.exe
608	msdbgcli.exe
2460	msdbgcli.exe
1696	msdbgcli.exe
892	msdbgcli.exe
1476	msdbgcli.exe
928	msdbgcli.exe
1560	msdbgcli.exe
2956	msdbgcli.exe
2540	msdbgcli.exe
1924	msdbgcli.exe
2040	msdbgcli.exe
1872	msdbgcli.exe
932	msdbgcli.exe
1808	msdbgcli.exe
2988	msdbgcli.exe
3028	msdbgcli.exe
1512	msdbgcli.exe
2096	msdbgcli.exe
920	msdbgcli.exe
2552	msdbgcli.exe
1192	msdbgcli.exe

Loads dropped DLL 64 IoCs

pid	Process
2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
2528	msdbgcli.exe
2528	msdbgcli.exe
3064	msdbgcli.exe
3064	msdbgcli.exe
2896	msdbgcli.exe
2896	msdbgcli.exe
1360	msdbgcli.exe
1360	msdbgcli.exe
1972	msdbgcli.exe
1972	msdbgcli.exe
2572	msdbgcli.exe
2572	msdbgcli.exe
1316	msdbgcli.exe
1316	msdbgcli.exe
2060	msdbgcli.exe
2060	msdbgcli.exe
2124	msdbgcli.exe
2124	msdbgcli.exe
2740	msdbgcli.exe
2740	msdbgcli.exe
1616	msdbgcli.exe
1616	msdbgcli.exe
2720	msdbgcli.exe
2720	msdbgcli.exe
2076	msdbgcli.exe
2076	msdbgcli.exe
1424	msdbgcli.exe
1424	msdbgcli.exe
2256	msdbgcli.exe
2256	msdbgcli.exe
1476	msdbgcli.exe
1476	msdbgcli.exe
1512	msdbgcli.exe
1512	msdbgcli.exe
568	msdbgcli.exe
568	msdbgcli.exe
2624	msdbgcli.exe
2624	msdbgcli.exe
1712	msdbgcli.exe
1712	msdbgcli.exe
632	msdbgcli.exe
632	msdbgcli.exe
1156	msdbgcli.exe
1156	msdbgcli.exe
1968	msdbgcli.exe
1968	msdbgcli.exe
2312	msdbgcli.exe
2312	msdbgcli.exe
2936	msdbgcli.exe
2936	msdbgcli.exe
1468	msdbgcli.exe
1468	msdbgcli.exe
1516	msdbgcli.exe
1516	msdbgcli.exe
1880	msdbgcli.exe
1880	msdbgcli.exe
2596	msdbgcli.exe
2596	msdbgcli.exe
1580	msdbgcli.exe
1580	msdbgcli.exe
2536	msdbgcli.exe
2536	msdbgcli.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2732-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x000a000000012262-6.dat	upx
behavioral1/memory/2528-16-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2732-17-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2528-28-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2896-33-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/3064-36-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2896-46-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1972-56-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1360-54-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1972-64-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2572-73-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1316-74-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1316-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2060-93-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2124-102-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2740-112-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1616-120-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2720-130-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2076-138-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1424-142-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2256-147-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1512-152-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1476-151-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1512-156-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/568-160-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2624-165-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1712-170-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/632-174-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1156-180-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1968-185-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2312-188-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2936-193-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1468-197-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1516-200-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1880-205-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2596-210-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1580-212-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2536-219-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1324-216-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1324-224-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1932-229-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2032-230-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2032-235-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2192-239-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/968-240-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/968-245-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1520-251-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1668-256-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1948-257-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1948-263-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2508-266-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/860-270-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2508-276-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2348-281-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/608-287-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2788-286-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/608-292-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2460-297-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/892-301-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2528	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3064	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2896	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1360	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1972	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2572	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1316	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2060	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2124	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2740	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1616	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2720	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2076	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1424	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2256	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1476	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1512	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	568	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2624	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1712	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	632	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1156	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1968	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2312	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2936	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1468	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1516	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1880	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2596	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1580	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2536	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1324	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1932	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2032	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2192	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	968	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1520	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1668	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1948	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	860	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2508	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2348	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2788	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	608	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2460	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1696	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	892	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1476	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	928	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1560	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2956	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2540	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1924	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2040	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1872	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	932	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1808	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2988	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3028	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1512	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2096	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	920	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2552	msdbgcli.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2528	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2528	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2528	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2528	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2856	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2856	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2856	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2856	2732	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	31
PID 2528 wrote to memory of 3064	2528	msdbgcli.exe	33
PID 2528 wrote to memory of 3064	2528	msdbgcli.exe	33
PID 2528 wrote to memory of 3064	2528	msdbgcli.exe	33
PID 2528 wrote to memory of 3064	2528	msdbgcli.exe	33
PID 2528 wrote to memory of 1660	2528	msdbgcli.exe	34
PID 2528 wrote to memory of 1660	2528	msdbgcli.exe	34
PID 2528 wrote to memory of 1660	2528	msdbgcli.exe	34
PID 2528 wrote to memory of 1660	2528	msdbgcli.exe	34
PID 3064 wrote to memory of 2896	3064	msdbgcli.exe	36
PID 3064 wrote to memory of 2896	3064	msdbgcli.exe	36
PID 3064 wrote to memory of 2896	3064	msdbgcli.exe	36
PID 3064 wrote to memory of 2896	3064	msdbgcli.exe	36
PID 3064 wrote to memory of 564	3064	msdbgcli.exe	37
PID 3064 wrote to memory of 564	3064	msdbgcli.exe	37
PID 3064 wrote to memory of 564	3064	msdbgcli.exe	37
PID 3064 wrote to memory of 564	3064	msdbgcli.exe	37
PID 2896 wrote to memory of 1360	2896	msdbgcli.exe	39
PID 2896 wrote to memory of 1360	2896	msdbgcli.exe	39
PID 2896 wrote to memory of 1360	2896	msdbgcli.exe	39
PID 2896 wrote to memory of 1360	2896	msdbgcli.exe	39
PID 2896 wrote to memory of 1036	2896	msdbgcli.exe	40
PID 2896 wrote to memory of 1036	2896	msdbgcli.exe	40
PID 2896 wrote to memory of 1036	2896	msdbgcli.exe	40
PID 2896 wrote to memory of 1036	2896	msdbgcli.exe	40
PID 1360 wrote to memory of 1972	1360	msdbgcli.exe	74
PID 1360 wrote to memory of 1972	1360	msdbgcli.exe	74
PID 1360 wrote to memory of 1972	1360	msdbgcli.exe	74
PID 1360 wrote to memory of 1972	1360	msdbgcli.exe	74
PID 1360 wrote to memory of 3004	1360	msdbgcli.exe	43
PID 1360 wrote to memory of 3004	1360	msdbgcli.exe	43
PID 1360 wrote to memory of 3004	1360	msdbgcli.exe	43
PID 1360 wrote to memory of 3004	1360	msdbgcli.exe	43
PID 1972 wrote to memory of 2572	1972	msdbgcli.exe	45
PID 1972 wrote to memory of 2572	1972	msdbgcli.exe	45
PID 1972 wrote to memory of 2572	1972	msdbgcli.exe	45
PID 1972 wrote to memory of 2572	1972	msdbgcli.exe	45
PID 1972 wrote to memory of 944	1972	msdbgcli.exe	46
PID 1972 wrote to memory of 944	1972	msdbgcli.exe	46
PID 1972 wrote to memory of 944	1972	msdbgcli.exe	46
PID 1972 wrote to memory of 944	1972	msdbgcli.exe	46
PID 2572 wrote to memory of 1316	2572	msdbgcli.exe	48
PID 2572 wrote to memory of 1316	2572	msdbgcli.exe	48
PID 2572 wrote to memory of 1316	2572	msdbgcli.exe	48
PID 2572 wrote to memory of 1316	2572	msdbgcli.exe	48
PID 2572 wrote to memory of 1544	2572	msdbgcli.exe	49
PID 2572 wrote to memory of 1544	2572	msdbgcli.exe	49
PID 2572 wrote to memory of 1544	2572	msdbgcli.exe	49
PID 2572 wrote to memory of 1544	2572	msdbgcli.exe	49
PID 1316 wrote to memory of 2060	1316	msdbgcli.exe	51
PID 1316 wrote to memory of 2060	1316	msdbgcli.exe	51
PID 1316 wrote to memory of 2060	1316	msdbgcli.exe	51
PID 1316 wrote to memory of 2060	1316	msdbgcli.exe	51
PID 1316 wrote to memory of 1912	1316	msdbgcli.exe	115
PID 1316 wrote to memory of 1912	1316	msdbgcli.exe	115
PID 1316 wrote to memory of 1912	1316	msdbgcli.exe	115
PID 1316 wrote to memory of 1912	1316	msdbgcli.exe	115

C:\Users\Admin\AppData\Local\Temp\fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\msdbgcli.exe
  "C:\Windows\system32\msdbgcli.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\msdbgcli.exe
    "C:\Windows\system32\msdbgcli.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\msdbgcli.exe
      "C:\Windows\system32\msdbgcli.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        26⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        28⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        29⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        30⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        33⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        34⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        35⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        37⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        38⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        39⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        41⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        42⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        43⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        44⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        47⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        50⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        51⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        52⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        53⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        54⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        55⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        56⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        57⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        58⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        60⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        61⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        62⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        63⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        64⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        65⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        66⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        67⤵
        Drops file in Drivers directory
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        68⤵
        Adds Run key to start application
        
        PID:2264
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        69⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:1520
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        70⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        73⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        74⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        75⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        76⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        77⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        78⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        79⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        80⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        81⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        82⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        83⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        84⤵
        
        PID:632
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        85⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        86⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        87⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        88⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        89⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        90⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        91⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        92⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        93⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        94⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        95⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        96⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        97⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        98⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        99⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        100⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        101⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        102⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        103⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        104⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        105⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        106⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        107⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        108⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        109⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        110⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        111⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        112⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        113⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        114⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        115⤵
        
        PID:572
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        116⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        117⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        118⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        119⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        120⤵
        
        PID:888
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        121⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        122⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        123⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        124⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        125⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        126⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        127⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        128⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        129⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        130⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        131⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        132⤵
        
        PID:888
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        133⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        134⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        135⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        136⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        137⤵
        
        PID:632
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        138⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        139⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        140⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        141⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        142⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        143⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        144⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        145⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        146⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        147⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        148⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        149⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        150⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        151⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        152⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        153⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        154⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        155⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        156⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        157⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        158⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        159⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        160⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        161⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        162⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        163⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        164⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        165⤵
        
        PID:784
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        166⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        167⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        168⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        169⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        170⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        171⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        172⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        173⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        174⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        175⤵
        
        PID:380
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        176⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        177⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        178⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        179⤵
        
        PID:928
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        180⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        181⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        182⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        183⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        184⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        185⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        186⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        187⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        188⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        189⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        190⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        191⤵
        
        PID:928
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        192⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        193⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        194⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        195⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        196⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        197⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        198⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        199⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        200⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        201⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        202⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        203⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        204⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        205⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        206⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        207⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        208⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        209⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        210⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        211⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        212⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        213⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        214⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        215⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        216⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        217⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        218⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        219⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        220⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        221⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        222⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        223⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        224⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        225⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        226⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        227⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        228⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        229⤵
        
        PID:972
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        230⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        231⤵
        
        PID:616
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        232⤵
        
        PID:892
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        233⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        234⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        235⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        236⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        237⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        238⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        239⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        240⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        241⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        242⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        243⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        244⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        245⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        246⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        247⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        246⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        245⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        244⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        243⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        242⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        241⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        240⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        239⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        238⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        237⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        236⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        235⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        234⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        233⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        232⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        231⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        230⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        229⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        228⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        227⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        226⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        225⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        224⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        223⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        222⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        221⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        220⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        219⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        218⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        217⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        216⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        215⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        214⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        213⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        212⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        211⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        210⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        209⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        208⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        207⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        206⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        205⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        204⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        203⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        202⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        201⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        200⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        199⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        198⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        197⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        196⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        195⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        194⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        193⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        192⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        191⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        190⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        189⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        188⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        187⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        186⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        185⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        184⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        183⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        182⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        181⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        180⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        179⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        178⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        177⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        176⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        175⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        174⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        173⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        172⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        171⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        170⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        169⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        168⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        167⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        166⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        165⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        164⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        163⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        162⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        161⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        160⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        159⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        158⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        157⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        156⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        155⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        154⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        153⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        152⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        151⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        150⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        149⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        148⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        147⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        146⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        145⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        144⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        143⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        142⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        141⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        140⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        139⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        138⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        137⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        136⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        135⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        134⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        133⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        132⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        131⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        130⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        129⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        128⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        127⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        126⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        125⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        124⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        123⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        122⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        121⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        120⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        119⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        118⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        117⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        116⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        115⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        114⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        113⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        112⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        111⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        110⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        109⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        108⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        107⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        106⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        105⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        104⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        103⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        102⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        101⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        100⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        99⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        98⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        97⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        96⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        95⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        94⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        93⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        92⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        91⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        90⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        89⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        88⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        87⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        86⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        85⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        84⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        83⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        82⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        81⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        80⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        79⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        78⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        77⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        76⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        75⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        74⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        73⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        71⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        69⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        66⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        65⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        64⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        63⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        61⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        60⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        58⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        57⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        56⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        55⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        54⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        51⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        49⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        48⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        47⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        46⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        45⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        44⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        43⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        41⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        37⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        36⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        33⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        32⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        31⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        29⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        25⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        24⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        22⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        21⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        20⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        18⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        17⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        13⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        12⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        11⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        10⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        7⤵
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FDA298~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1858185679-125209052-16964729331308417630-347826956348119614-431058081-1586031113"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1523796119-11823523667696359251195869729849359365-31451234-1792880035-86740969"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-70970483789945394557148714-9720532305830038121129037581-1715848639843821782"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1423962511462065809-619288286937353220-150292454-1616108458-948370966-1088361854"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1111280287-1356507921-17506285311111950198321533521692040662-2032969069-2052283215"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1896042566-19246161011875895172273183520750310984-1338919895876920361-1142672444"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1835438547644718238698862680-2025599954216232540-15374659471746771417-892215315"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-261390301226552585-159987252-20164645511466456286-1366747451521317410542085422"
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1102432170775836089555647994-13978656751371047371606048023-19152093641617247282"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3477892247308947611974817371-949548339-348848658-169926997018696258781638154"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-221488523-6768935513172754182131732234-683146900-14906458741831936707-2033827139"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24083060271086822-602676060-982923188-145755325312986197491988807424786675470"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15138233723292138441241493257-1380068291-765338068-1624270572-1939639162-1041455874"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1116186315-1622714263-1831687531583551337-167863595-143051665117899638006098396"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "764275493736965906-1239158952-1299529453-82619087113178457101959223214-133220900"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1101849841-17962368041905293924-139797119-1027554100-1728608561957024861-1454897570"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10264876121967065991132921959519807494983901965571576728147-1591301443885422285"
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15560071731599643219-940767595-1245055153-8883266198377664588323379401541336506"
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137792076140439013-373921533-1025401300-1531557302722968954-19131471671174796427"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4608158031758086200501875098-854765795-1137192436142395233-3045817611296184202"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1691109490-2044405831513192200-21351269101679266102-788472994966285026268267218"
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
1eb5dbd7ebfd9f3605e67fedb176ae68

SHA1
21ca5827abb9be937aa664728d9c95abd44d8c15

SHA256
93609d43bed5439833ca9ec57bf9ae6ae9bc5e5bd2a1cf68340977c9b3f4b344

SHA512
d50e8f0d85e3e0c95b7081143e0ecac710a11ab7236bbdb0fc5ce5e2ab87f810b43ce6adf1d9df2a73059e10e581c65b15c17ff6238221b0ecb78004956e0356

Download Submit
\Windows\SysWOW64\msdbgcli.exe

Filesize
130KB

MD5
fda298f72a1983e613b35cb3becd6ad3

SHA1
624d8e8c2a0967300cd784b426f2458c260c1ec0

SHA256
aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769

SHA512
bda59edc47edd9cc5ed7e3cf36f47cd6c09155e78071ac35898cfc8257137cfa0df2d3e47a7523bd0d627e2b707134d8fd62033acbc9551e6b2324083a824efe

Download Submit
memory/568-158-0x0000000002CB0000-0x0000000002CF4000-memory.dmp

Filesize
272KB

Download
memory/568-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/608-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/608-288-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/608-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-172-0x0000000002C60000-0x0000000002CA4000-memory.dmp

Filesize
272KB

Download
memory/632-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-171-0x0000000002C60000-0x0000000002CA4000-memory.dmp

Filesize
272KB

Download
memory/860-267-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/860-264-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/860-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/892-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-241-0x0000000002FB0000-0x0000000002FF4000-memory.dmp

Filesize
272KB

Download
memory/968-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-177-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1156-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-77-0x0000000002EC0000-0x0000000002F04000-memory.dmp

Filesize
272KB

Download
memory/1324-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1324-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1324-221-0x0000000002B50000-0x0000000002B94000-memory.dmp

Filesize
272KB

Download
memory/1360-51-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1360-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1476-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1516-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-247-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1520-246-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1580-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-252-0x0000000002C70000-0x0000000002CB4000-memory.dmp

Filesize
272KB

Download
memory/1696-298-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1712-167-0x0000000002E20000-0x0000000002E64000-memory.dmp

Filesize
272KB

Download
memory/1712-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-225-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1932-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-259-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1948-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-258-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1968-181-0x0000000002EC0000-0x0000000002F04000-memory.dmp

Filesize
272KB

Download
memory/1968-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-231-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download
memory/2032-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-90-0x0000000002C70000-0x0000000002CB4000-memory.dmp

Filesize
272KB

Download
memory/2076-133-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/2076-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-95-0x0000000002EF0000-0x0000000002F34000-memory.dmp

Filesize
272KB

Download
memory/2124-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2256-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2256-143-0x0000000004280000-0x00000000042C4000-memory.dmp

Filesize
272KB

Download
memory/2312-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-277-0x0000000002C70000-0x0000000002CB4000-memory.dmp

Filesize
272KB

Download
memory/2348-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-293-0x0000000002C80000-0x0000000002CC4000-memory.dmp

Filesize
272KB

Download
memory/2508-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-272-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/2508-271-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/2508-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-22-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/2528-21-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/2528-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-215-0x0000000002D60000-0x0000000002DA4000-memory.dmp

Filesize
272KB

Download
memory/2536-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2572-67-0x0000000004120000-0x0000000004164000-memory.dmp

Filesize
272KB

Download
memory/2572-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-206-0x0000000002EF0000-0x0000000002F34000-memory.dmp

Filesize
272KB

Download
memory/2596-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-124-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/2732-12-0x0000000004130000-0x0000000004174000-memory.dmp

Filesize
272KB

Download
memory/2732-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-2-0x0000000000425000-0x0000000000443000-memory.dmp

Filesize
120KB

Download
memory/2740-108-0x0000000002C60000-0x0000000002CA4000-memory.dmp

Filesize
272KB

Download
memory/2740-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-282-0x0000000002D60000-0x0000000002DA4000-memory.dmp

Filesize
272KB

Download
memory/2788-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2896-39-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download
memory/2896-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2896-41-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download
memory/2896-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads