f76a3936bbb22480dbf41a676ccf8fe5d4f1e3a51c77868a36217c10cf1100fe

Analysis

max time kernel
61s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Size

848KB
MD5

1289cb9081b3188951ad7a023f352fc0
SHA1

180ec90692c7062292ee1a2e3dabbc8fa044d16e
SHA256

f76a3936bbb22480dbf41a676ccf8fe5d4f1e3a51c77868a36217c10cf1100fe
SHA512

ffcf553cfbca916e76ea4ef92f6b18cae8e20fd9efeb90e9c3e478acb97bb9b9a654c4959392ee4760c825677c43fd607ec76fa6d0c0dcaf1e6dd46bda8d54cc
SSDEEP

12288:jJgAUN5yymszEDoH5lMTRmzF+xkRqBAH+T+sRgkgmZrQUDpu:q5yydIcZlkmzE2ABMctiI8eu

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\aesabbjj	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\hmei\StubPath = "C:\\Windows\\system32\\hmei.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\twiq\StubPath = "C:\\Windows\\system32\\twiq.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\dvooqm\StubPath = "C:\\Windows\\system32\\dvooqm.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\dalry\StubPath = "C:\\Windows\\system32\\dalry.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\dorbppnr\StubPath = "C:\\Windows\\system32\\dorbppnr.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\glphyawb\StubPath = "C:\\Windows\\system32\\glphyawb.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\gqplen\StubPath = "C:\\Windows\\system32\\gqplen.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\myotebk	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ofoa\StubPath = "C:\\Windows\\system32\\ofoa.exe"	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ttydpqal\StubPath = "C:\\Windows\\system32\\ttydpqal.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\gtpoaboj	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\fmlnwf	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\bwiwycs	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\hkgqprd	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\hkgqprd\StubPath = "C:\\Windows\\system32\\hkgqprd.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\bocgjc\StubPath = "C:\\Windows\\system32\\bocgjc.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\xmfqu	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\lntehhr\StubPath = "C:\\Windows\\system32\\lntehhr.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\imtdo	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\wlkpf\StubPath = "C:\\Windows\\system32\\wlkpf.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\vqoek	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\sukple	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\nunwla\StubPath = "C:\\Windows\\system32\\nunwla.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\wuqssqmh\StubPath = "C:\\Windows\\system32\\wuqssqmh.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\cikhkxfd\StubPath = "C:\\Windows\\system32\\cikhkxfd.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\tkjur	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\gtpoaboj\StubPath = "C:\\Windows\\system32\\gtpoaboj.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\fhhv	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\uhmjhf	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\yvbi\StubPath = "C:\\Windows\\system32\\yvbi.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\jqlnbn\StubPath = "C:\\Windows\\system32\\jqlnbn.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\wfmjqbmd\StubPath = "C:\\Windows\\system32\\wfmjqbmd.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\odqiey\StubPath = "C:\\Windows\\system32\\odqiey.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\pdsvf	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\jdco\StubPath = "C:\\Windows\\system32\\jdco.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\krixwqr\StubPath = "C:\\Windows\\system32\\krixwqr.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\vwdncsgk\StubPath = "C:\\Windows\\system32\\vwdncsgk.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\drcvk	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\cphywnr\StubPath = "C:\\Windows\\system32\\cphywnr.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\nbqj	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\nfrgl	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\vpbhmp\StubPath = "C:\\Windows\\system32\\vpbhmp.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\vcfnsyc	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ytep\StubPath = "C:\\Windows\\system32\\ytep.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\nfcwlsa	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\nacsgr\StubPath = "C:\\Windows\\system32\\nacsgr.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\iqbu	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\dalry	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\udanpo\StubPath = "C:\\Windows\\system32\\udanpo.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\qssykydu\StubPath = "C:\\Windows\\system32\\qssykydu.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ubllgq	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\fdty	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\qxvebb\StubPath = "C:\\Windows\\system32\\qxvebb.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\agpshqyu\StubPath = "C:\\Windows\\system32\\agpshqyu.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\pbrm\StubPath = "C:\\Windows\\system32\\pbrm.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\novdxvdp\StubPath = "C:\\Windows\\system32\\novdxvdp.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\evdghdow	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\niftspr\StubPath = "C:\\Windows\\system32\\niftspr.exe"	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\mfhnuuba\StubPath = "C:\\Windows\\system32\\mfhnuuba.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\gqplen	srv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\uqlmg\StubPath = "C:\\Windows\\system32\\uqlmg.exe"	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\odqiey	srv32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ggwpu	srv32.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	srv32.exe

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019642-83.dat	acprotect
behavioral1/files/0x000500000001964a-84.dat	acprotect
behavioral1/files/0x000500000001964b-85.dat	acprotect
behavioral1/files/0x00050000000197c2-86.dat	acprotect
behavioral1/files/0x0005000000019a72-87.dat	acprotect
behavioral1/files/0x0005000000019b0f-89.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
1608	srv32.exe
2852	srv32.exe
2860	srv32.exe
2628	srv32.exe
2468	srv32.exe
1936	srv32.exe
2160	srv32.exe
828	srv32.exe
1080	srv32.exe
2924	srv32.exe
1356	srv32.exe
328	srv32.exe
1148	srv32.exe
1708	srv32.exe
2828	srv32.exe
3060	srv32.exe
2748	srv32.exe
2636	srv32.exe
2000	srv32.exe
2172	srv32.exe
2084	srv32.exe
1320	srv32.exe
680	srv32.exe
940	srv32.exe
2168	srv32.exe
1816	srv32.exe
2512	srv32.exe
1604	srv32.exe
352	srv32.exe
2808	srv32.exe
2968	srv32.exe
2916	srv32.exe
2772	srv32.exe
620	srv32.exe
1788	srv32.exe
2188	srv32.exe
852	srv32.exe
2276	srv32.exe
2300	srv32.exe
1732	srv32.exe
2488	srv32.exe
1744	srv32.exe
2348	srv32.exe
3048	srv32.exe
1608	srv32.exe
2796	srv32.exe
2332	srv32.exe
764	srv32.exe
2212	srv32.exe
1476	srv32.exe
1704	srv32.exe
1124	srv32.exe
2548	srv32.exe
1940	srv32.exe
1432	srv32.exe
1532	srv32.exe
904	srv32.exe
2364	srv32.exe
2512	srv32.exe
2072	srv32.exe
2884	srv32.exe
2708	srv32.exe
2588	srv32.exe
780	srv32.exe

Loads dropped DLL 64 IoCs

pid	Process
1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
1608	srv32.exe
1608	srv32.exe
2852	srv32.exe
2852	srv32.exe
2860	srv32.exe
2860	srv32.exe
2628	srv32.exe
2628	srv32.exe
2468	srv32.exe
2468	srv32.exe
1936	srv32.exe
1936	srv32.exe
2160	srv32.exe
2160	srv32.exe
828	srv32.exe
828	srv32.exe
1080	srv32.exe
1080	srv32.exe
2924	srv32.exe
2924	srv32.exe
1356	srv32.exe
1356	srv32.exe
328	srv32.exe
328	srv32.exe
1148	srv32.exe
1148	srv32.exe
1708	srv32.exe
1708	srv32.exe
2828	srv32.exe
2828	srv32.exe
3060	srv32.exe
3060	srv32.exe
2748	srv32.exe
2748	srv32.exe
2636	srv32.exe
2636	srv32.exe
2000	srv32.exe
2000	srv32.exe
2172	srv32.exe
2172	srv32.exe
2084	srv32.exe
2084	srv32.exe
1320	srv32.exe
1320	srv32.exe
680	srv32.exe
680	srv32.exe
940	srv32.exe
940	srv32.exe
2168	srv32.exe
2168	srv32.exe
1816	srv32.exe
1816	srv32.exe
2512	srv32.exe
2512	srv32.exe
1604	srv32.exe
1604	srv32.exe
352	srv32.exe
352	srv32.exe
2808	srv32.exe
2808	srv32.exe
2968	srv32.exe
2968	srv32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wkjjwgx.siq	srv32.exe
File created	C:\Windows\SysWOW64\shess.xgn	srv32.exe
File created	C:\Windows\SysWOW64\abuhp.kka	srv32.exe
File opened for modification	C:\Windows\SysWOW64\cctxfst.exe	srv32.exe
File created	C:\Windows\SysWOW64\ivglnns.aqq	srv32.exe
File opened for modification	C:\Windows\SysWOW64\jtkahgn.exe	srv32.exe
File created	C:\Windows\SysWOW64\dqtdyfkv.rix	srv32.exe
File created	C:\Windows\SysWOW64\kdfciwy.tol	srv32.exe
File created	C:\Windows\SysWOW64\imrsd.kqv	srv32.exe
File created	C:\Windows\SysWOW64\fodhs.har	srv32.exe
File created	C:\Windows\SysWOW64\uqabt.vdr	srv32.exe
File opened for modification	C:\Windows\SysWOW64\ygnytfvk.exe	srv32.exe
File created	C:\Windows\SysWOW64\tkjkcwwm.anc	srv32.exe
File created	C:\Windows\SysWOW64\fdxh.yfq	srv32.exe
File opened for modification	C:\Windows\SysWOW64\jdco.exe	srv32.exe
File created	C:\Windows\SysWOW64\nfkfywbs.vgm	srv32.exe
File opened for modification	C:\Windows\SysWOW64\vulqdgqw.exe	srv32.exe
File opened for modification	C:\Windows\SysWOW64\aedowkx.exe	srv32.exe
File created	C:\Windows\SysWOW64\rgbd.emc	srv32.exe
File created	C:\Windows\SysWOW64\ovgvyv.tas	srv32.exe
File created	C:\Windows\SysWOW64\kpkf.mka	srv32.exe
File created	C:\Windows\SysWOW64\mcxanyj.tgk	srv32.exe
File opened for modification	C:\Windows\SysWOW64\vwydcp.exe	srv32.exe
File created	C:\Windows\SysWOW64\plpyhc.pvj	srv32.exe
File created	C:\Windows\SysWOW64\uvdaolqd.bvh	srv32.exe
File created	C:\Windows\SysWOW64\admb.mmi	srv32.exe
File created	C:\Windows\SysWOW64\enacs.ujm	srv32.exe
File created	C:\Windows\SysWOW64\qcgru.iow	srv32.exe
File created	C:\Windows\SysWOW64\wrgwx.ksp	srv32.exe
File created	C:\Windows\SysWOW64\saja.cft	srv32.exe
File created	C:\Windows\SysWOW64\kqmd.exe	srv32.exe
File created	C:\Windows\SysWOW64\dvooqm.yqw	srv32.exe
File created	C:\Windows\SysWOW64\qrudx.ucp	srv32.exe
File created	C:\Windows\SysWOW64\rgvqfech.vde	srv32.exe
File created	C:\Windows\SysWOW64\dalry.enc	srv32.exe
File created	C:\Windows\SysWOW64\jlhv.syi	srv32.exe
File created	C:\Windows\SysWOW64\akxvpqn.ktn	srv32.exe
File created	C:\Windows\SysWOW64\ntfe.bju	srv32.exe
File created	C:\Windows\SysWOW64\srv32.exe	srv32.exe
File created	C:\Windows\SysWOW64\srv32.exe	srv32.exe
File created	C:\Windows\SysWOW64\dalry.exe	srv32.exe
File opened for modification	C:\Windows\SysWOW64\asdgetwa.exe	srv32.exe
File created	C:\Windows\SysWOW64\awnyw.dhr	srv32.exe
File created	C:\Windows\SysWOW64\dcqpuraq.wop	srv32.exe
File created	C:\Windows\SysWOW64\kvgm.fqp	srv32.exe
File created	C:\Windows\SysWOW64\segekwhh.efe	srv32.exe
File created	C:\Windows\SysWOW64\srv32.exe	srv32.exe
File created	C:\Windows\SysWOW64\eiqqbpmy.exe	srv32.exe
File created	C:\Windows\SysWOW64\yfxpu.sxd	srv32.exe
File created	C:\Windows\SysWOW64\xgmk.qfk	srv32.exe
File created	C:\Windows\SysWOW64\kqmd.lpe	srv32.exe
File opened for modification	C:\Windows\SysWOW64\siiu.exe	srv32.exe
File created	C:\Windows\SysWOW64\srv32.exe	srv32.exe
File created	C:\Windows\SysWOW64\okixrc.int	srv32.exe
File created	C:\Windows\SysWOW64\srv32.exe	srv32.exe
File created	C:\Windows\SysWOW64\umjjn.kad	srv32.exe
File created	C:\Windows\SysWOW64\nsqeekc.hgh	srv32.exe
File created	C:\Windows\SysWOW64\txab.irr	srv32.exe
File created	C:\Windows\SysWOW64\kstu.ymf	srv32.exe
File created	C:\Windows\SysWOW64\kanimtan.okq	srv32.exe
File created	C:\Windows\SysWOW64\mrlkqrg.kvg	srv32.exe
File created	C:\Windows\SysWOW64\dgwiye.kwc	srv32.exe
File created	C:\Windows\SysWOW64\rtlxxue.dmr	srv32.exe
File created	C:\Windows\SysWOW64\avgny.pds	srv32.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x00060000000190e1-13.dat	upx
behavioral1/memory/1608-24-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1708-23-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2852-43-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1608-41-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2860-63-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2852-62-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2860-79-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0005000000019642-83.dat	upx
behavioral1/files/0x000500000001964a-84.dat	upx
behavioral1/files/0x000500000001964b-85.dat	upx
behavioral1/files/0x00050000000197c2-86.dat	upx
behavioral1/files/0x0005000000019a72-87.dat	upx
behavioral1/files/0x0005000000019b0f-89.dat	upx
behavioral1/memory/2628-98-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2468-99-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2468-117-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2160-137-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1936-136-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2160-153-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/828-173-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1080-171-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2924-191-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1080-189-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2924-208-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1356-224-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1148-243-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/328-242-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1148-261-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1708-280-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2828-298-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/3060-312-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2748-325-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2636-339-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2000-340-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2000-353-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2172-366-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2084-367-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2084-381-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/680-394-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1320-396-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/680-409-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2168-424-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/940-423-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2168-437-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2512-452-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1816-451-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2512-465-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/352-481-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1604-480-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2808-496-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/352-495-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2968-510-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2808-512-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2968-525-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2772-540-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2916-539-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2772-552-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1788-566-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/620-565-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1788-580-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2188-596-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/852-594-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srv32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1608	srv32.exe
Token: SeSystemtimePrivilege	1608	srv32.exe
Token: SeSystemtimePrivilege	1608	srv32.exe
Token: SeSystemtimePrivilege	1608	srv32.exe
Token: SeSystemtimePrivilege	2852	srv32.exe
Token: SeSystemtimePrivilege	2852	srv32.exe
Token: SeSystemtimePrivilege	2852	srv32.exe
Token: SeSystemtimePrivilege	2852	srv32.exe
Token: SeSystemtimePrivilege	2860	srv32.exe
Token: SeSystemtimePrivilege	2860	srv32.exe
Token: SeSystemtimePrivilege	2860	srv32.exe
Token: SeSystemtimePrivilege	2860	srv32.exe
Token: SeSystemtimePrivilege	2628	srv32.exe
Token: SeSystemtimePrivilege	2628	srv32.exe
Token: SeSystemtimePrivilege	2628	srv32.exe
Token: SeSystemtimePrivilege	2628	srv32.exe
Token: SeSystemtimePrivilege	2468	srv32.exe
Token: SeSystemtimePrivilege	2468	srv32.exe
Token: SeSystemtimePrivilege	2468	srv32.exe
Token: SeSystemtimePrivilege	2468	srv32.exe
Token: SeSystemtimePrivilege	1936	srv32.exe
Token: SeSystemtimePrivilege	1936	srv32.exe
Token: SeSystemtimePrivilege	1936	srv32.exe
Token: SeSystemtimePrivilege	1936	srv32.exe
Token: SeSystemtimePrivilege	2160	srv32.exe
Token: SeSystemtimePrivilege	2160	srv32.exe
Token: SeSystemtimePrivilege	2160	srv32.exe
Token: SeSystemtimePrivilege	2160	srv32.exe
Token: SeSystemtimePrivilege	828	srv32.exe
Token: SeSystemtimePrivilege	828	srv32.exe
Token: SeSystemtimePrivilege	828	srv32.exe
Token: SeSystemtimePrivilege	828	srv32.exe
Token: SeSystemtimePrivilege	1080	srv32.exe
Token: SeSystemtimePrivilege	1080	srv32.exe
Token: SeSystemtimePrivilege	1080	srv32.exe
Token: SeSystemtimePrivilege	1080	srv32.exe
Token: SeSystemtimePrivilege	2924	srv32.exe
Token: SeSystemtimePrivilege	2924	srv32.exe
Token: SeSystemtimePrivilege	2924	srv32.exe
Token: SeSystemtimePrivilege	2924	srv32.exe
Token: SeSystemtimePrivilege	1356	srv32.exe
Token: SeSystemtimePrivilege	1356	srv32.exe
Token: SeSystemtimePrivilege	1356	srv32.exe
Token: SeSystemtimePrivilege	1356	srv32.exe
Token: SeSystemtimePrivilege	328	srv32.exe
Token: SeSystemtimePrivilege	328	srv32.exe
Token: SeSystemtimePrivilege	328	srv32.exe
Token: SeSystemtimePrivilege	328	srv32.exe
Token: SeSystemtimePrivilege	1148	srv32.exe
Token: SeSystemtimePrivilege	1148	srv32.exe
Token: SeSystemtimePrivilege	1148	srv32.exe
Token: SeSystemtimePrivilege	1148	srv32.exe
Token: SeSystemtimePrivilege	1708	srv32.exe
Token: SeSystemtimePrivilege	1708	srv32.exe
Token: SeSystemtimePrivilege	1708	srv32.exe
Token: SeSystemtimePrivilege	1708	srv32.exe
Token: SeSystemtimePrivilege	2828	srv32.exe
Token: SeSystemtimePrivilege	2828	srv32.exe
Token: SeSystemtimePrivilege	2828	srv32.exe
Token: SeSystemtimePrivilege	2828	srv32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1608	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe	31
PID 1708 wrote to memory of 1608	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe	31
PID 1708 wrote to memory of 1608	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe	31
PID 1708 wrote to memory of 1608	1708	1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe	31
PID 1608 wrote to memory of 2852	1608	srv32.exe	32
PID 1608 wrote to memory of 2852	1608	srv32.exe	32
PID 1608 wrote to memory of 2852	1608	srv32.exe	32
PID 1608 wrote to memory of 2852	1608	srv32.exe	32
PID 2852 wrote to memory of 2860	2852	srv32.exe	33
PID 2852 wrote to memory of 2860	2852	srv32.exe	33
PID 2852 wrote to memory of 2860	2852	srv32.exe	33
PID 2852 wrote to memory of 2860	2852	srv32.exe	33
PID 2860 wrote to memory of 2628	2860	srv32.exe	34
PID 2860 wrote to memory of 2628	2860	srv32.exe	34
PID 2860 wrote to memory of 2628	2860	srv32.exe	34
PID 2860 wrote to memory of 2628	2860	srv32.exe	34
PID 2628 wrote to memory of 2468	2628	srv32.exe	35
PID 2628 wrote to memory of 2468	2628	srv32.exe	35
PID 2628 wrote to memory of 2468	2628	srv32.exe	35
PID 2628 wrote to memory of 2468	2628	srv32.exe	35
PID 2468 wrote to memory of 1936	2468	srv32.exe	36
PID 2468 wrote to memory of 1936	2468	srv32.exe	36
PID 2468 wrote to memory of 1936	2468	srv32.exe	36
PID 2468 wrote to memory of 1936	2468	srv32.exe	36
PID 1936 wrote to memory of 2160	1936	srv32.exe	37
PID 1936 wrote to memory of 2160	1936	srv32.exe	37
PID 1936 wrote to memory of 2160	1936	srv32.exe	37
PID 1936 wrote to memory of 2160	1936	srv32.exe	37
PID 2160 wrote to memory of 828	2160	srv32.exe	38
PID 2160 wrote to memory of 828	2160	srv32.exe	38
PID 2160 wrote to memory of 828	2160	srv32.exe	38
PID 2160 wrote to memory of 828	2160	srv32.exe	38
PID 828 wrote to memory of 1080	828	srv32.exe	39
PID 828 wrote to memory of 1080	828	srv32.exe	39
PID 828 wrote to memory of 1080	828	srv32.exe	39
PID 828 wrote to memory of 1080	828	srv32.exe	39
PID 1080 wrote to memory of 2924	1080	srv32.exe	40
PID 1080 wrote to memory of 2924	1080	srv32.exe	40
PID 1080 wrote to memory of 2924	1080	srv32.exe	40
PID 1080 wrote to memory of 2924	1080	srv32.exe	40
PID 2924 wrote to memory of 1356	2924	srv32.exe	41
PID 2924 wrote to memory of 1356	2924	srv32.exe	41
PID 2924 wrote to memory of 1356	2924	srv32.exe	41
PID 2924 wrote to memory of 1356	2924	srv32.exe	41
PID 1356 wrote to memory of 328	1356	srv32.exe	42
PID 1356 wrote to memory of 328	1356	srv32.exe	42
PID 1356 wrote to memory of 328	1356	srv32.exe	42
PID 1356 wrote to memory of 328	1356	srv32.exe	42
PID 328 wrote to memory of 1148	328	srv32.exe	43
PID 328 wrote to memory of 1148	328	srv32.exe	43
PID 328 wrote to memory of 1148	328	srv32.exe	43
PID 328 wrote to memory of 1148	328	srv32.exe	43
PID 1148 wrote to memory of 1708	1148	srv32.exe	44
PID 1148 wrote to memory of 1708	1148	srv32.exe	44
PID 1148 wrote to memory of 1708	1148	srv32.exe	44
PID 1148 wrote to memory of 1708	1148	srv32.exe	44
PID 1708 wrote to memory of 2828	1708	srv32.exe	45
PID 1708 wrote to memory of 2828	1708	srv32.exe	45
PID 1708 wrote to memory of 2828	1708	srv32.exe	45
PID 1708 wrote to memory of 2828	1708	srv32.exe	45
PID 2828 wrote to memory of 3060	2828	srv32.exe	46
PID 2828 wrote to memory of 3060	2828	srv32.exe	46
PID 2828 wrote to memory of 3060	2828	srv32.exe	46
PID 2828 wrote to memory of 3060	2828	srv32.exe	46

C:\Users\Admin\AppData\Local\Temp\1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1289cb9081b3188951ad7a023f352fc0_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\srv32.exe
  "C:\Windows\system32\srv32.exe" 7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\srv32.exe
    "C:\Windows\system32\srv32.exe" 7
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\srv32.exe
      "C:\Windows\system32\srv32.exe" 7
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3060
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2748
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2000
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2168
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2512
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2808
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2968
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        33⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        35⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        36⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        37⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        38⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        39⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        41⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        43⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        44⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        45⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        46⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        47⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        51⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        53⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        54⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        56⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        57⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        59⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        60⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        61⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        63⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        64⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        65⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        66⤵
        
        PID:840
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        67⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        68⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        69⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        70⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2160
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        71⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        72⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        73⤵
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        74⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        75⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        76⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        77⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        78⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        79⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        81⤵
        
        PID:264
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        82⤵
        
        PID:736
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        83⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        84⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        85⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        86⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        88⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2260
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        89⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        90⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        91⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        92⤵
        
        PID:904
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        93⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        94⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2820
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        95⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        96⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        97⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        98⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        99⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1208
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        100⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        101⤵
        Drops file in Drivers directory
        
        PID:1628
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        102⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1324
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        103⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        104⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        105⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        106⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        107⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        108⤵
        Drops file in Drivers directory
        
        PID:2880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        109⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        111⤵
        Drops file in Drivers directory
        
        PID:2740
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        112⤵
        Drops file in Drivers directory
        
        PID:2564
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        114⤵
        Drops file in Drivers directory
        
        PID:1972
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        115⤵
        Drops file in Drivers directory
        
        PID:1804
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        116⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        117⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        119⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        120⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        122⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        123⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        124⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1752
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        125⤵
        Drops file in Drivers directory
        
        PID:2648
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        126⤵
        Drops file in Drivers directory
        
        PID:2568
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        127⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        128⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        129⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        130⤵
        
        PID:804
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        131⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        132⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        133⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        134⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        136⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        137⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2284
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        138⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        139⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        140⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:2768
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        141⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2072
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        143⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        144⤵
        
        PID:684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        145⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        146⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        147⤵
        Drops file in Drivers directory
        
        PID:956
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        148⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        149⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        150⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        151⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1532
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        153⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:1960
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        154⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2376
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        155⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        157⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        158⤵
        Drops file in Drivers directory
        
        PID:2212
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        159⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        160⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        161⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        163⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        164⤵
        
        PID:680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        165⤵
        Drops file in Drivers directory
        
        PID:2260
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        166⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        167⤵
        Drops file in Drivers directory
        
        PID:2124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        168⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        169⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        170⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        171⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        173⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        174⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        176⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        177⤵
        Drops file in Drivers directory
        
        PID:2044
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        178⤵
        
        PID:924
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        180⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        181⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        182⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        183⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        184⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        185⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        186⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        187⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        188⤵
        Drops file in Drivers directory
        
        PID:1144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        189⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        190⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        192⤵
        Drops file in Drivers directory
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        193⤵
        
        PID:888
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        194⤵
        
        PID:956
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        195⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1504
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        196⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        198⤵
        Drops file in Drivers directory
        
        PID:324
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        199⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        200⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        201⤵
        Drops file in Drivers directory
        
        PID:2604
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        202⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        203⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        204⤵
        Drops file in Drivers directory
        
        PID:264
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        206⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        207⤵
        Drops file in Drivers directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        208⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:1616
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        209⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        210⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        211⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        212⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        213⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        214⤵
        
        PID:756
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        215⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        216⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        218⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        220⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        221⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2716
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        222⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        223⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        224⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2052
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        225⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        226⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        227⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        228⤵
        Drops file in Drivers directory
        
        PID:1268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        229⤵
        Drops file in Drivers directory
        
        PID:1140
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        232⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        233⤵
        Drops file in Drivers directory
        
        PID:2448
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        234⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1532
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        235⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:1712
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        236⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        237⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        238⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        239⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        240⤵
        Drops file in Drivers directory
        
        PID:2584
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        241⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        242⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        244⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2392
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        245⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        246⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        248⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1032
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        249⤵
        
        PID:940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        250⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        251⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        253⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        254⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        255⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:2908
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        256⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        258⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        
        PID:3040
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        259⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        261⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        262⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        263⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        264⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        265⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        266⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        267⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        268⤵
        
        PID:352
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        269⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        270⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        271⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        272⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        273⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        274⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        275⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        276⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        277⤵
        
        PID:840
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        278⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        279⤵
        
        PID:888
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        280⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        281⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        282⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        283⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        284⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        285⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        286⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        287⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        288⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        289⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        290⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        291⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        292⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        293⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        294⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        295⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        296⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        297⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        298⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        299⤵
        
        PID:680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        300⤵
        
        PID:264
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        301⤵
        
        PID:896
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        302⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        303⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        304⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        305⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        306⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        307⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        308⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        309⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        310⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        311⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        312⤵
        
        PID:440
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        313⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        314⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        315⤵
        
        PID:604
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        316⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        317⤵
        
        PID:832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        318⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        319⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        320⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        321⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        322⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        323⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        324⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        325⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        326⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        327⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        328⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        329⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        330⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        331⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        332⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        333⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        334⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        335⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        336⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        337⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        338⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        339⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        340⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        341⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        342⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        343⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        344⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        345⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        346⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        347⤵
        
        PID:344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        348⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        349⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        350⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        351⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        352⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        353⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        354⤵
        
        PID:348
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        355⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        356⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        357⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        358⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        359⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        360⤵
        
        PID:764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        361⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        362⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        363⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        364⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        365⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        366⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        367⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        368⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        369⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        370⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        371⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        372⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        373⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        374⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        375⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        376⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        377⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        378⤵
        
        PID:780
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        379⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        380⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        381⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        382⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        383⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        384⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        385⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        386⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        387⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        388⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        389⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        390⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        391⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        392⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        393⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        394⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        395⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        396⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        397⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        398⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        399⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        400⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        401⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        402⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        403⤵
        
        PID:680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        404⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        405⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        406⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        407⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        408⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        409⤵
        
        PID:856
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        410⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        411⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        412⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        413⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        414⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        415⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        416⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        417⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        418⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        419⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        420⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        421⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        422⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        423⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        424⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        425⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        426⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        427⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        428⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        429⤵
        
        PID:276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        430⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        431⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        432⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        433⤵
        
        PID:344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        434⤵
        
        PID:824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        435⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        436⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        437⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        438⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        439⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        440⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        441⤵
        
        PID:628
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        442⤵
        
        PID:952
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        443⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        444⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        445⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        446⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        447⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        448⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        449⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        450⤵
        
        PID:684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        451⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        452⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        453⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        454⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        455⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        456⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        457⤵
        
        PID:784
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        458⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        459⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        460⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        461⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        462⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        463⤵
        
        PID:736
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        464⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        465⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        466⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        467⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        468⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        469⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        470⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        471⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        472⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        473⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        474⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        475⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        476⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        477⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        478⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        479⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        480⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        481⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        482⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        483⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        484⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        485⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        486⤵
        
        PID:888
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        487⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        488⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        489⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        490⤵
        
        PID:580
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        491⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        492⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        493⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        494⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        495⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        496⤵
        
        PID:856
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        497⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        498⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        499⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        500⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        501⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        502⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        503⤵
        
        PID:344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        504⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        505⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        506⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        507⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        508⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        509⤵
        
        PID:896
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        510⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        511⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        512⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        513⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        514⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        515⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        516⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        517⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        518⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        519⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        520⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        521⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        522⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        523⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        524⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        525⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        526⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        527⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        528⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        529⤵
        
        PID:952
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        530⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        531⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        532⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        533⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        534⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        535⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        536⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        537⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        538⤵
        
        PID:824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        539⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        540⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        541⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        542⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        543⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        544⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        545⤵
        
        PID:328
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        546⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        547⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        548⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        549⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        550⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        551⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        552⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        553⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        554⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        555⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        556⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        557⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        558⤵
        
        PID:828
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        559⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        560⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        561⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        562⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        563⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        564⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        565⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        566⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        567⤵
        
        PID:352
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        568⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        569⤵
        
        PID:764
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        570⤵
        
        PID:272
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        571⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        572⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        573⤵
        
        PID:440
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        574⤵
        
        PID:684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        575⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        576⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        577⤵
        
        PID:264
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        578⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        579⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        580⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        581⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        582⤵
        
        PID:920
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        583⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        584⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        585⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        586⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        587⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        588⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        589⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        590⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        591⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        592⤵
        
        PID:652
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        593⤵
        
        PID:684
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        594⤵
        
        PID:852
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        595⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        596⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        597⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        598⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        599⤵
        
        PID:316
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        600⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        601⤵
        
        PID:564
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        602⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        603⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        604⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        605⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        606⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        607⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        608⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        609⤵
        
        PID:736
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        610⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        611⤵
        
        PID:804
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        612⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        613⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        614⤵
        
        PID:932
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        615⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        616⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        617⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        618⤵
        
        PID:316
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        619⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        620⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        621⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        622⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        623⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        624⤵
        
        PID:276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        625⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        626⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        627⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        628⤵
        
        PID:736
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        629⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        630⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        631⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        632⤵
        
        PID:620
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        633⤵
        
        PID:580
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        634⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        635⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        636⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        637⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        638⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        639⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        640⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        641⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        642⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        643⤵
        
        PID:276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        644⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        645⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        646⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        647⤵
        
        PID:736
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        648⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        649⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        650⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        651⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        652⤵
        
        PID:580
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        653⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        654⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        655⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        656⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\srv32.exe
        
        "C:\Windows\system32\srv32.exe" 7
        657⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bjjf.uuc

Filesize
139KB

MD5
73d1f12e51a0cb482be80eb44725d263

SHA1
99c30080b9e914f133b95d20b269173b29e1d54d

SHA256
be4b938fbb886bbdea7ac8d0e43b81d7d13bce0d4ba9367c963c977aeea33be7

SHA512
c6f17f8200f4c139a800f8c74e6fb7164eb94826cb369d7b8e654b8c9d0f554cc8efa9a331e2adf076e49d797e56a9f2375f241eaa424f707bca133c89375d6d

Download Submit
C:\Windows\SysWOW64\bkryfly.sxc

Filesize
35KB

MD5
5c06dbb234f088a487248ff37b10a41c

SHA1
fe647c131100dd91ce3c323b683fecd2a84f2025

SHA256
f55ce73d87c639d16e0637eb78d81c6c7e189a5a5989ba67cb436f54e2112d40

SHA512
1074b3fdf52c4f84960b87e5e4bd7a56bd0fce6313a263a9a5ca833a39e0c41703b80e898f786c33b0c0ad700b1f8f68189370b65a4ab22a9414a828c38d26ef

Download Submit
C:\Windows\SysWOW64\fdxh.yfq

Filesize
139KB

MD5
19300f0453e7204409a579d93c28d437

SHA1
f09ac8b4e87cef59f201a64979e09755ecd1bc4f

SHA256
b59365d72ddcf4c34076f7bdafc34d05895533fae73a261b889db9d2863ec19f

SHA512
4e4e4b2f3ec6be44db3e47c6ea363a79f42dac3afe2fd5f8b73cc2522683e12cde9ee1353050d64b6e570de1b257596cbc1f6d31332e8d08c02f5805fd30c451

Download Submit
C:\Windows\SysWOW64\mmlfnlg.axn

Filesize
11KB

MD5
52052d563d82628f1ed715abf69405ea

SHA1
cbb4f165c14d196f32f078c3d6ba89a2acec354a

SHA256
630aa992d2d35ef418c1654830675ce6bd28eec6740f030a0b78d5e184c959b6

SHA512
cacda5d11dda3dfc278bc90d7e62d3991b2260c6df4f5a803c49b8b85a03dc2f5bf32f2a0e1ee15255f884eb17f144f3c6c969113dfde094f4df0587a3535de6

Download Submit
C:\Windows\SysWOW64\mnsx.xcd

Filesize
52KB

MD5
b915b13b9deed4a76b073ba064f217e9

SHA1
200c6cf02e3595920973d8d67348842c62f60a7e

SHA256
69dbf0e310dbceeffeddc782e92f07fc0a79c9eda71fd5518f59a75c42f92b28

SHA512
8ee5db0f699909c0576f01d1a5cba1b52f0db7e4cf39154f9fdf05a5a5a5e01f4d24c7ebea30eaec98a3fe2c367d06d1984e87e66b3468f604cb5d84b288ef9c

Download Submit
C:\Windows\SysWOW64\mobris.abq

Filesize
126KB

MD5
995d98226ac0f19315587d3d579fdffb

SHA1
5cd153ae136b10ad1a218574ec34e959aa60d065

SHA256
35e12441051e85f71340c9d97e4561e40c6d444061acee583b54b528659b4877

SHA512
cc1edfbfbdb62ce2b4bd78aef9e7afea506ddc5e2e13870f113db9e1505d0a771bdfc928fe7721d640101447048c070c4c7a2054e07c34819100a50048793fb7

Download Submit
C:\Windows\SysWOW64\tavihom.khh

Filesize
143KB

MD5
cfa5c0be4bdf109ac01bb33daf6bf066

SHA1
3dbadf2d659321795c54107889451970b6456c1b

SHA256
2273a045dcad7f197f843bd152518ffe957e75f511e6b5512a3edfdfd9177d55

SHA512
1d885bdafa8cba278506db2e90e6a2a9581224cf487aa8bb1a09588f12ffe5084e5e5326834543520ee03b5aba6b4ee109bccc20a0865c81cfc8731ed8b369b0

Download Submit
C:\Windows\SysWOW64\tbeb.rfk

Filesize
58KB

MD5
028b428559e92a1fed010c025c467492

SHA1
374a5e3ce78d3b5eb5c68f3eaae17eb834ee4d32

SHA256
ed56b27ea98a3413c7655400bd1b4506fd5af41d14289bf63f9ac1269869a27f

SHA512
7220a8ed6ee14080ec933b8bbf85a9f387289b771860ec43031b9a9dd0b945bef70fd9247ae9ee22f0bd5f76c4b63a853f7c305bff487a82a527959b7135e32b

Download Submit
C:\Windows\SysWOW64\txoo.vxp

Filesize
88KB

MD5
07c252e1d856013575cda719b8057123

SHA1
f8bab7f72df8babddaad5568a39e8932c75f7e40

SHA256
e979660c17ca070fe36b9d1c30faa3daf37a34fbdda6f256f72aca24ca426619

SHA512
911657a8af9acfc10e3d9daccb4d1e96f70554c77a9969730a6a6a34ea49c81e2cbbd9b2f622213774d3147aa65e6dd0007e9ea78a0be6a39e362415c42b6fa3

Download Submit
C:\Windows\system32\drivers\etc\services

Filesize
17KB

MD5
d9e1a01b480d961b7cf0509d597a92d6

SHA1
a6c322bf661502b33ab802de67022dd21ac87d9a

SHA256
b26309dfd89a9cc94481536b4d662941429df79873bb59620f53db939ff5ec29

SHA512
c8653c60d702a29e5bc68cc4dd09baf0d022d6687eb0e3c7731e6a3ebbeaaf17b127bd970fad53140c4155faf70697b631e1b7fd03318d340ae2ee8813e7ad69

Download Submit
\Windows\SysWOW64\srv32.exe

Filesize
848KB

MD5
1289cb9081b3188951ad7a023f352fc0

SHA1
180ec90692c7062292ee1a2e3dabbc8fa044d16e

SHA256
f76a3936bbb22480dbf41a676ccf8fe5d4f1e3a51c77868a36217c10cf1100fe

SHA512
ffcf553cfbca916e76ea4ef92f6b18cae8e20fd9efeb90e9c3e478acb97bb9b9a654c4959392ee4760c825677c43fd607ec76fa6d0c0dcaf1e6dd46bda8d54cc

Download Submit
memory/328-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/352-495-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/352-481-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/352-493-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/620-565-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/680-394-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/680-409-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/828-168-0x0000000002C40000-0x0000000002C6B000-memory.dmp

Filesize
172KB

Download
memory/828-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/852-594-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/852-609-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/940-421-0x0000000002440000-0x000000000246B000-memory.dmp

Filesize
172KB

Download
memory/940-423-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1080-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1080-171-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-255-0x00000000020B0000-0x00000000020DB000-memory.dmp

Filesize
172KB

Download
memory/1148-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1320-393-0x0000000002530000-0x000000000255B000-memory.dmp

Filesize
172KB

Download
memory/1320-396-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1356-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-478-0x0000000002C60000-0x0000000002C8B000-memory.dmp

Filesize
172KB

Download
memory/1604-480-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-476-0x0000000002C60000-0x0000000002C8B000-memory.dmp

Filesize
172KB

Download
memory/1608-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1608-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1608-704-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-15-0x0000000002D80000-0x0000000002DAB000-memory.dmp

Filesize
172KB

Download
memory/1708-273-0x00000000025B0000-0x00000000025DB000-memory.dmp

Filesize
172KB

Download
memory/1708-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-277-0x00000000025B0000-0x00000000025DB000-memory.dmp

Filesize
172KB

Download
memory/1732-652-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-678-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1788-577-0x00000000025F0000-0x000000000261B000-memory.dmp

Filesize
172KB

Download
memory/1788-580-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1788-566-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-449-0x00000000025F0000-0x000000000261B000-memory.dmp

Filesize
172KB

Download
memory/1816-451-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1936-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1936-134-0x0000000002380000-0x00000000023AB000-memory.dmp

Filesize
172KB

Download
memory/2000-353-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2000-340-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2084-380-0x0000000002700000-0x000000000272B000-memory.dmp

Filesize
172KB

Download
memory/2084-381-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2084-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2160-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2160-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2168-424-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2168-437-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2172-366-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-591-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/2188-596-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-593-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/2276-610-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-622-0x00000000024E0000-0x000000000250B000-memory.dmp

Filesize
172KB

Download
memory/2276-624-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-625-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-638-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-691-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2468-117-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2468-114-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2468-115-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2468-99-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-665-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-650-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-465-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-452-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2628-96-0x0000000001F90000-0x0000000001FBB000-memory.dmp

Filesize
172KB

Download
memory/2628-98-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-339-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-338-0x0000000002220000-0x000000000224B000-memory.dmp

Filesize
172KB

Download
memory/2748-325-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2772-540-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2772-552-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2808-512-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2808-507-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/2808-509-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/2808-496-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2828-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2828-296-0x00000000024E0000-0x000000000250B000-memory.dmp

Filesize
172KB

Download
memory/2828-295-0x00000000024E0000-0x000000000250B000-memory.dmp

Filesize
172KB

Download
memory/2852-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-57-0x0000000002D80000-0x0000000002DAB000-memory.dmp

Filesize
172KB

Download
memory/2852-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-59-0x0000000002D80000-0x0000000002DAB000-memory.dmp

Filesize
172KB

Download
memory/2860-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2860-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-539-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-538-0x00000000024B0000-0x00000000024DB000-memory.dmp

Filesize
172KB

Download
memory/2924-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-510-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-525-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3048-702-0x00000000025D0000-0x00000000025FB000-memory.dmp

Filesize
172KB

Download
memory/3060-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3060-310-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads