xtremerat | 312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca38e573543038958bfac0734582d86.exe
Size

101KB
MD5

cca38e573543038958bfac0734582d86
SHA1

03caa3e2162c48a8415a9790e8f7c8811e1fb7d0
SHA256

312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d
SHA512

83af9319e2da7893ce0d98e8da9e9fb63778f6c2d6358bdfc5a7b6542670517a59eecc2da1ffc2e80a810952e1d1cf59aa1b579c8b6c1902a6c90cffbdab83a2
SSDEEP

1536:bNPB7mZMvoXGQysjHFq5ofXMEGUHGWkuZoHwdzE95s7xhRoV3qpdHDd:bNPB7JvDQzzQ5G8EGUxNeMiV3gdHZ

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral1/memory/2344-13-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2632-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2344-29-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2552-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2552-46-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/320-76-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2704-80-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/320-86-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-101-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/336-125-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-137-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/600-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/336-158-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2072-188-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1632-216-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1780-231-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2060-250-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2668-269-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2752-285-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-298-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2688-309-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1780-320-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2960-333-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/992-342-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2344-353-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1736-357-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2804-371-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-372-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2688-376-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2400-406-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2960-420-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/888-431-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2344-435-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3184-459-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2560-465-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2300-466-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3428-478-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3184-482-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1908-483-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2400-496-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3600-499-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/888-502-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3812-524-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3144-531-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3128-555-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3428-562-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3624-573-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3600-578-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3772-589-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3812-599-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3204-607-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3448-620-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3208-624-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3128-630-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3624-660-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3824-667-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3204-679-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3448-685-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/4344-699-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3584-704-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3812-706-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/4148-757-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/4344-762-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3172-773-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	cca38e573543038958bfac0734582d86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Cftmon\\lsass.exe restart"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	lsass.exe

Executes dropped EXE 64 IoCs

pid	Process
2788	lsass.exe
2552	lsass.exe
2684	lsass.exe
2704	lsass.exe
1948	lsass.exe
320	lsass.exe
2304	lsass.exe
2848	lsass.exe
2624	lsass.exe
2308	lsass.exe
600	lsass.exe
336	lsass.exe
912	lsass.exe
840	lsass.exe
2072	lsass.exe
624	lsass.exe
3068	lsass.exe
1632	lsass.exe
2216	lsass.exe
2060	lsass.exe
2492	lsass.exe
2668	lsass.exe
2752	lsass.exe
1948	lsass.exe
1780	lsass.exe
2624	lsass.exe
992	lsass.exe
1524	lsass.exe
1736	lsass.exe
2520	lsass.exe
2804	lsass.exe
2440	lsass.exe
2220	lsass.exe
2688	lsass.exe
2272	lsass.exe
2960	lsass.exe
2972	lsass.exe
2344	lsass.exe
1628	lsass.exe
2300	lsass.exe
704	lsass.exe
2852	lsass.exe
2552	lsass.exe
2560	lsass.exe
2400	lsass.exe
1908	lsass.exe
2688	lsass.exe
888	lsass.exe
3104	lsass.exe
3128	lsass.exe
3144	lsass.exe
3184	lsass.exe
3404	lsass.exe
3428	lsass.exe
3564	lsass.exe
3600	lsass.exe
3632	lsass.exe
3748	lsass.exe
3772	lsass.exe
3812	lsass.exe
3172	lsass.exe
3200	lsass.exe
3208	lsass.exe
3128	lsass.exe

Loads dropped DLL 11 IoCs

pid	Process
2344	cca38e573543038958bfac0734582d86.exe
2344	cca38e573543038958bfac0734582d86.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-6-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-5-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-11-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-13-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2632-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-29-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2552-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2552-46-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/320-76-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2704-80-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/320-86-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-101-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/336-125-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-137-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/600-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/336-158-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2072-188-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1632-216-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1780-231-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2060-250-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2668-269-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2752-285-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-298-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2688-309-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1780-320-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2960-333-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/992-342-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-353-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1736-357-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2804-371-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-372-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2688-376-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2400-406-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2960-420-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/888-431-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-435-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3184-459-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2560-465-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2300-466-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3428-478-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3184-482-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1908-483-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2400-496-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3600-499-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/888-502-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3812-524-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3144-531-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3128-555-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3428-562-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3624-573-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3600-578-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3772-589-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3812-599-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3204-607-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3448-620-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3208-624-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3128-630-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3624-660-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3824-667-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3204-679-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3448-685-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/4344-699-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3584-704-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	cca38e573543038958bfac0734582d86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	cca38e573543038958bfac0734582d86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Cftmon\\lsass.exe"	lsass.exe

Suspicious use of SetThreadContext 37 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2788 set thread context of 2552	2788	lsass.exe	39
PID 2684 set thread context of 2704	2684	lsass.exe	49
PID 1948 set thread context of 320	1948	lsass.exe	52
PID 2304 set thread context of 2308	2304	lsass.exe	71
PID 2624 set thread context of 600	2624	lsass.exe	72
PID 2848 set thread context of 336	2848	lsass.exe	73
PID 912 set thread context of 2072	912	lsass.exe	100
PID 624 set thread context of 1632	624	lsass.exe	104
PID 840 set thread context of 2060	840	lsass.exe	101
PID 2216 set thread context of 2668	2216	lsass.exe	122
PID 2492 set thread context of 2752	2492	lsass.exe	124
PID 1948 set thread context of 1780	1948	lsass.exe	130
PID 2624 set thread context of 992	2624	lsass.exe	154
PID 1524 set thread context of 1736	1524	lsass.exe	160
PID 3068 set thread context of 2804	3068	lsass.exe	164
PID 2520 set thread context of 2220	2520	lsass.exe	168
PID 2440 set thread context of 2688	2440	lsass.exe	169
PID 2272 set thread context of 2960	2272	lsass.exe	177
PID 2972 set thread context of 2344	2972	lsass.exe	208
PID 1628 set thread context of 2300	1628	lsass.exe	221
PID 704 set thread context of 2560	704	lsass.exe	228
PID 2852 set thread context of 2400	2852	lsass.exe	229
PID 2552 set thread context of 1908	2552	lsass.exe	230
PID 2688 set thread context of 888	2688	lsass.exe	237
PID 3104 set thread context of 3144	3104	lsass.exe	264
PID 3128 set thread context of 3184	3128	lsass.exe	265
PID 3404 set thread context of 3428	3404	lsass.exe	280
PID 3564 set thread context of 3600	3564	lsass.exe	287
PID 3632 set thread context of 3772	3632	lsass.exe	294
PID 3748 set thread context of 3812	3748	lsass.exe	295
PID 3172 set thread context of 3208	3172	lsass.exe	320
PID 3200 set thread context of 3128	3200	lsass.exe	321
PID 3576 set thread context of 3624	3576	lsass.exe	335
PID 1516 set thread context of 3824	1516	lsass.exe	346
PID 3692 set thread context of 3204	3692	lsass.exe	351
PID 3104 set thread context of 3448	3104	lsass.exe	357

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	cca38e573543038958bfac0734582d86.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe
File opened for modification	C:\Windows\Cftmon\lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2940	cca38e573543038958bfac0734582d86.exe
2788	lsass.exe
2684	lsass.exe
1948	lsass.exe
2304	lsass.exe
2848	lsass.exe
2624	lsass.exe
912	lsass.exe
840	lsass.exe
624	lsass.exe
2216	lsass.exe
2492	lsass.exe
1948	lsass.exe
2624	lsass.exe
1524	lsass.exe
3068	lsass.exe
2520	lsass.exe
2440	lsass.exe
2272	lsass.exe
2972	lsass.exe
1628	lsass.exe
704	lsass.exe
2852	lsass.exe
2552	lsass.exe
2688	lsass.exe
3104	lsass.exe
3128	lsass.exe
3404	lsass.exe
3564	lsass.exe
3632	lsass.exe
3748	lsass.exe
3172	lsass.exe
3200	lsass.exe
3576	lsass.exe
1516	lsass.exe
3692	lsass.exe
3104	lsass.exe
3924	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2940 wrote to memory of 2344	2940	cca38e573543038958bfac0734582d86.exe	28
PID 2344 wrote to memory of 2632	2344	cca38e573543038958bfac0734582d86.exe	29
PID 2344 wrote to memory of 2632	2344	cca38e573543038958bfac0734582d86.exe	29
PID 2344 wrote to memory of 2632	2344	cca38e573543038958bfac0734582d86.exe	29
PID 2344 wrote to memory of 2632	2344	cca38e573543038958bfac0734582d86.exe	29
PID 2344 wrote to memory of 2632	2344	cca38e573543038958bfac0734582d86.exe	29
PID 2344 wrote to memory of 2736	2344	cca38e573543038958bfac0734582d86.exe	30
PID 2344 wrote to memory of 2736	2344	cca38e573543038958bfac0734582d86.exe	30
PID 2344 wrote to memory of 2736	2344	cca38e573543038958bfac0734582d86.exe	30
PID 2344 wrote to memory of 2736	2344	cca38e573543038958bfac0734582d86.exe	30
PID 2344 wrote to memory of 2736	2344	cca38e573543038958bfac0734582d86.exe	30
PID 2344 wrote to memory of 2636	2344	cca38e573543038958bfac0734582d86.exe	31
PID 2344 wrote to memory of 2636	2344	cca38e573543038958bfac0734582d86.exe	31
PID 2344 wrote to memory of 2636	2344	cca38e573543038958bfac0734582d86.exe	31
PID 2344 wrote to memory of 2636	2344	cca38e573543038958bfac0734582d86.exe	31
PID 2344 wrote to memory of 2636	2344	cca38e573543038958bfac0734582d86.exe	31
PID 2344 wrote to memory of 2564	2344	cca38e573543038958bfac0734582d86.exe	32
PID 2344 wrote to memory of 2564	2344	cca38e573543038958bfac0734582d86.exe	32
PID 2344 wrote to memory of 2564	2344	cca38e573543038958bfac0734582d86.exe	32
PID 2344 wrote to memory of 2564	2344	cca38e573543038958bfac0734582d86.exe	32
PID 2344 wrote to memory of 2564	2344	cca38e573543038958bfac0734582d86.exe	32
PID 2344 wrote to memory of 2572	2344	cca38e573543038958bfac0734582d86.exe	33
PID 2344 wrote to memory of 2572	2344	cca38e573543038958bfac0734582d86.exe	33
PID 2344 wrote to memory of 2572	2344	cca38e573543038958bfac0734582d86.exe	33
PID 2344 wrote to memory of 2572	2344	cca38e573543038958bfac0734582d86.exe	33
PID 2344 wrote to memory of 2572	2344	cca38e573543038958bfac0734582d86.exe	33
PID 2344 wrote to memory of 2444	2344	cca38e573543038958bfac0734582d86.exe	34
PID 2344 wrote to memory of 2444	2344	cca38e573543038958bfac0734582d86.exe	34
PID 2344 wrote to memory of 2444	2344	cca38e573543038958bfac0734582d86.exe	34
PID 2344 wrote to memory of 2444	2344	cca38e573543038958bfac0734582d86.exe	34
PID 2344 wrote to memory of 2444	2344	cca38e573543038958bfac0734582d86.exe	34
PID 2344 wrote to memory of 2728	2344	cca38e573543038958bfac0734582d86.exe	35
PID 2344 wrote to memory of 2728	2344	cca38e573543038958bfac0734582d86.exe	35
PID 2344 wrote to memory of 2728	2344	cca38e573543038958bfac0734582d86.exe	35
PID 2344 wrote to memory of 2728	2344	cca38e573543038958bfac0734582d86.exe	35
PID 2344 wrote to memory of 2728	2344	cca38e573543038958bfac0734582d86.exe	35
PID 2344 wrote to memory of 2816	2344	cca38e573543038958bfac0734582d86.exe	36
PID 2344 wrote to memory of 2816	2344	cca38e573543038958bfac0734582d86.exe	36
PID 2344 wrote to memory of 2816	2344	cca38e573543038958bfac0734582d86.exe	36
PID 2344 wrote to memory of 2816	2344	cca38e573543038958bfac0734582d86.exe	36
PID 2344 wrote to memory of 2816	2344	cca38e573543038958bfac0734582d86.exe	36
PID 2344 wrote to memory of 2760	2344	cca38e573543038958bfac0734582d86.exe	37
PID 2344 wrote to memory of 2760	2344	cca38e573543038958bfac0734582d86.exe	37
PID 2344 wrote to memory of 2760	2344	cca38e573543038958bfac0734582d86.exe	37
PID 2344 wrote to memory of 2760	2344	cca38e573543038958bfac0734582d86.exe	37
PID 2344 wrote to memory of 2788	2344	cca38e573543038958bfac0734582d86.exe	38
PID 2344 wrote to memory of 2788	2344	cca38e573543038958bfac0734582d86.exe	38
PID 2344 wrote to memory of 2788	2344	cca38e573543038958bfac0734582d86.exe	38
PID 2344 wrote to memory of 2788	2344	cca38e573543038958bfac0734582d86.exe	38
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39
PID 2788 wrote to memory of 2552	2788	lsass.exe	39

C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe
"C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe
  "C:\Users\Admin\AppData\Local\Temp\cca38e573543038958bfac0734582d86.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2632
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1948
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2312
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2268
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2660
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3232
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2624
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2164
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2332
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1032
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2072
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3660
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3748
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3636
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3496
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        
        PID:4276
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        
        PID:4344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4984
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:5116
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        21⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4516
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        22⤵
        
        PID:4340
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        23⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5160
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        24⤵
        
        PID:5688
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        25⤵
        
        PID:5740
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:912
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2348
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:688
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1780
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3524
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3720
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3156
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        
        PID:3772
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        
        PID:4148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4784
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        
        PID:4968
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        
        PID:5048
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2216
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:752
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2324
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3532
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3792
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3728
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        
        PID:4228
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2624
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:624
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2972
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:780
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3076
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3856
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4332
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        
        PID:4516
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4312
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        
        PID:4924
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4464
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        
        PID:5524
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        
        PID:5596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5908
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3128
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3388
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3200
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3876
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:3228
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4364
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:4508
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4224
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        
        PID:4840
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4720
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        
        PID:5224
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        
        PID:5292
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:3964
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:1252
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:4316
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:4560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4184
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:3208
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:4608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4496
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:5112
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:4828
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:4884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4428
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:5108
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:5068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5560
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:6100
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:4388
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:4440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4156
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:3928
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5176
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        
        PID:5860
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:4812
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:4108
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:1348
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:4652
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:5140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5428
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        
        PID:5896
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:5476
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:5792
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:5940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6124
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      PID:6048
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        
        PID:6140
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2736
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2564
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2572
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2444
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2760
- - C:\Windows\Cftmon\lsass.exe
    "C:\Windows\Cftmon\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\Cftmon\lsass.exe
      "C:\Windows\Cftmon\lsass.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:2552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2244
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2916
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1956
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1896
    - - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2684
      - C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1644
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1916
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2848
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2524
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        14⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3352
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        16⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3040
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        17⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        18⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3132
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        19⤵
        
        PID:3580
        
        C:\Windows\Cftmon\lsass.exe
        
        "C:\Windows\Cftmon\lsass.exe"
        20⤵
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\88603cb2913a7df3fbd16b5f958e6447_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\fs6qeW.cfg

Filesize
1KB

MD5
db9e658207adfe772bd1272abfdeb769

SHA1
20f05518d4a5bdf7559dfee97bb1a36a32ab8f8f

SHA256
b1cb4b5a3e6d7fc78361b8cc2a79ea7e9a7b5b1f0cd0a514fa1e79923452f7f6

SHA512
5678d404b1f8a025dad2a7652e191099716772d6e3c5651154c3597d3e8b23b1a893b138b6e5185626f81a54b909759dc9e154c7450cc605fea16fc7713d5af0

Download Submit
C:\Windows\Cftmon\lsass.exe

Filesize
101KB

MD5
cca38e573543038958bfac0734582d86

SHA1
03caa3e2162c48a8415a9790e8f7c8811e1fb7d0

SHA256
312dfa792eb586be24fcdd1fa030b403d62711dcc75138923688111ad80d524d

SHA512
83af9319e2da7893ce0d98e8da9e9fb63778f6c2d6358bdfc5a7b6542670517a59eecc2da1ffc2e80a810952e1d1cf59aa1b579c8b6c1902a6c90cffbdab83a2

Download Submit
memory/320-76-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/320-86-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/336-125-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/336-158-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/600-151-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/888-502-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/888-431-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/992-342-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1632-216-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1736-357-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1780-231-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1780-320-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1908-483-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1948-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2060-250-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2072-188-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-372-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-298-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2300-466-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-137-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-101-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-13-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-353-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-5-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-11-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-29-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-435-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2400-406-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2400-496-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2552-46-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2552-41-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2560-465-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2632-22-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2668-269-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2684-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2688-309-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2688-376-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2704-80-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2752-285-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2788-42-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2804-371-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2940-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-333-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2960-420-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3128-630-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3128-555-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3144-531-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3172-773-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3184-482-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3184-459-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3204-679-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3204-607-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3208-624-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3428-478-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3428-562-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3448-685-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3448-620-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3584-704-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3600-578-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3600-499-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3624-573-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3624-660-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3772-589-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3812-599-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3812-706-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3812-524-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3824-667-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4148-757-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4344-699-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4344-762-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4560-792-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads