xtremerat | 93d5c61502be2d10ab68e6faa675609ab41dd8b4ec4afba589f6ef9799ba004f

General

Target

e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
Size

775KB
MD5

e388050c5f04c03e6a256da3ca301433
SHA1

73e6a7881fa9448d4b3c3a6fd629a7f5b72a4295
SHA256

93d5c61502be2d10ab68e6faa675609ab41dd8b4ec4afba589f6ef9799ba004f
SHA512

b07017c503e8509a2858d0550d24d6a79796f7eb34edfc179ee2ee7a54739d23af2a15260f329f698ee8d2bf9e1c5dd8df8bdf35684233d8f1dc2fc6338c68c9
SSDEEP

12288:8dIasG+o0eY7YGAZ5lWIasG+o0eY7YGAZ5l:8aasDodmY9JasDodmY9

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

mosad.xro.tzo.net

Signatures

Detect XtremeRAT payload 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1800-5-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
C:\Windows\SysWOW64\InstallDir\Server.exe	family_xtremerat
behavioral1/memory/3028-7-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/3060-13-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2480-21-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2448-30-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2672-37-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe	family_xtremerat
behavioral1/memory/1820-45-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1632-52-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/580-60-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/412-67-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1172-75-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1100-82-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1272-90-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2004-97-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2496-105-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2448-112-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1820-116-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1188-120-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/412-124-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1344-128-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1532-132-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1984-136-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2284-140-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/1624-144-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2372-148-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2320-152-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/2372-156-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat
behavioral1/memory/3116-160-0x0000000013140000-0x0000000013210000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exee388050c5f04c03e6a256da3ca301433_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exesvchost.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart"	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe

Executes dropped EXE 27 IoCs

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

pid	process
3060	Server.exe
2480	Server.exe
2448	Server.exe
2672	Server.exe
1820	Server.exe
1632	Server.exe
580	Server.exe
412	Server.exe
1172	Server.exe
1100	Server.exe
1272	Server.exe
2004	Server.exe
2496	Server.exe
2448	Server.exe
1820	Server.exe
1188	Server.exe
412	Server.exe
1344	Server.exe
1532	Server.exe
1984	Server.exe
2284	Server.exe
1624	Server.exe
2372	Server.exe
2320	Server.exe
2372	Server.exe
3116	Server.exe
3232	Server.exe

Loads dropped DLL 54 IoCs

Processes:

svchost.exe

pid	process
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exee388050c5f04c03e6a256da3ca301433_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe

Drops file in System32 directory 56 IoCs

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exee388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exesvchost.exeServer.exe

description	pid	process	target process
PID 3028 wrote to memory of 1800	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1800	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1800	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1800	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1800	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1312	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 1312	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 1312	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 1312	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 1312	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2188	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2188	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2188	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2188	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2188	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2524	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2524	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2524	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2524	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2524	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2580	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2580	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2580	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2580	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2580	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2144	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2144	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2144	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2144	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2144	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2628	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2628	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2628	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2628	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2628	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2640	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2640	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2640	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2640	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2640	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2652	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2652	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2652	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 3028 wrote to memory of 2652	3028	e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe	iexplore.exe
PID 1800 wrote to memory of 3060	1800	svchost.exe	Server.exe
PID 1800 wrote to memory of 3060	1800	svchost.exe	Server.exe
PID 1800 wrote to memory of 3060	1800	svchost.exe	Server.exe
PID 1800 wrote to memory of 3060	1800	svchost.exe	Server.exe
PID 3060 wrote to memory of 2852	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2852	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2852	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2852	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2852	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2596	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2596	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2596	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2596	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2596	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2732	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2732	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2732	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2732	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2732	3060	Server.exe	iexplore.exe
PID 3060 wrote to memory of 2236	3060	Server.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e388050c5f04c03e6a256da3ca301433_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2460

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3008

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:716

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1084

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1640

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2316

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2088

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1332

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1960

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2900

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2840

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2856

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2800

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:892

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1508

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1180

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1400

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1616

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2756

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1780

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2920

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:944

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1188

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1480

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3100

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3216

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2652

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
Filesize
775KB

MD5
5e67dc27cc23586674c8e57462454a4a

SHA1
ef8e26dcb5256c8854409caafa0aa6f2856ad541

SHA256
80e7911f46a06161e9d1c9897890f5da3c85c5ad88faf90fb0466be41500ddf7

SHA512
1e642c57d03fc313e7604b2abb29a2776a41acc42666e0238cc8ad60aa81f915fde132bc67bda358b25ea51574e7a5118660eb52cc96610918ea04914c8cc235

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
Filesize
64KB

MD5
5528711bcf43dabf60af3d716a418dec

SHA1
2cd5f27fbf7be5b7106de49121fa0e65572dad0c

SHA256
b3a9c4b9568a69bfcbc6b3ca6ddc2737b2bac2ed646ef7ddd457e39d87eaf9a6

SHA512
f7854540e2848c2458d3fb64508e278395b175c363525eb9c0e4f029426f2f3efbf4fa7c23fed795a1e273c95e99229c135039a6fa05b375fe5c3f2a95f8e20a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
Filesize
775KB

MD5
705e7d333664c6f486774259b09804cf

SHA1
50f13146a49088a9f8abef2345622e9caa71ed87

SHA256
333509dd59e475e37b463a6da633ba19ce0370422c7d2cb94501aea3c5a91fbd

SHA512
1e7d3b6d3c87e73075db642d5ec8b25dffe6dfc9ffc549db84de73e01d270bf26cd319476ff37db63fb0fddc048c115b9d49588b03bb08097c4e1203d824eaf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((mosed)).cfg
Filesize
1KB

MD5
71c1a60508c6e65277678f6145fd4e2a

SHA1
9c11ea465104605ecebcd1d05cd7c76fc20a08f3

SHA256
ac9a498a671628bad6111c2c94379b1b33ee5db733459477bb92f9b2b2a304e3

SHA512
930ccb3c2d2ef3423837fc21f6b1e376577c18ac1a2b901af9982bc9a4c55c83d91cba0a8d62319b2b15ea0d1a02d7698e9cc8c340c3fe74a31185c7c86b6cd5

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe
Filesize
775KB

MD5
e388050c5f04c03e6a256da3ca301433

SHA1
73e6a7881fa9448d4b3c3a6fd629a7f5b72a4295

SHA256
93d5c61502be2d10ab68e6faa675609ab41dd8b4ec4afba589f6ef9799ba004f

SHA512
b07017c503e8509a2858d0550d24d6a79796f7eb34edfc179ee2ee7a54739d23af2a15260f329f698ee8d2bf9e1c5dd8df8bdf35684233d8f1dc2fc6338c68c9

Download Submit
memory/412-124-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/412-67-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/580-60-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1100-82-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1172-75-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1188-120-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1272-90-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1344-128-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1532-132-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1624-144-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1632-52-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1800-3-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1800-5-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1820-116-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1820-45-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/1984-136-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2004-97-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2284-140-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2320-152-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2372-148-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2372-156-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2448-30-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2448-112-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2480-21-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2496-105-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/2672-37-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/3028-7-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/3060-13-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download
memory/3116-160-0x0000000013140000-0x0000000013210000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads