xtremerat | 1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536

Analysis

max time kernel
56s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Size

226KB
MD5

ea95c71d3c8f55d6a51ae43dd9cde9d9
SHA1

25460dbd2c7e996de80285971e787fb83e38d32e
SHA256

1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
SHA512

789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
SSDEEP

6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk

Score

10^/10

xtremerat bootkit persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

a411.no-ip.info

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2560-51-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2560-58-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2416-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2560-73-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2500-87-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 41 IoCs

Processes:

tim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

pid	process
1152	tim.exe
2500	tim.exe
2896	tim.exe
1256	tim.exe
1700	tim.exe
2092	tim.exe
2068	tim.exe
2100	tim.exe
2228	tim.exe
1828	tim.exe
1956	tim.exe
2632	tim.exe
2380	tim.exe
1480	tim.exe
1476	tim.exe
440	tim.exe
2304	tim.exe
1708	tim.exe
1572	tim.exe
2016	tim.exe
2372	tim.exe
2860	tim.exe
1876	tim.exe
2596	tim.exe
2556	tim.exe
2560	tim.exe
2732	tim.exe
1988	tim.exe
1964	tim.exe
2820	tim.exe
1680	tim.exe
2640	tim.exe
764	tim.exe
1948	tim.exe
1036	tim.exe
1992	tim.exe
2144	tim.exe
1088	tim.exe
2760	tim.exe
2504	tim.exe
3000	tim.exe

Loads dropped DLL 10 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exesvchost.exe

pid	process
2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-45-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-49-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-51-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-58-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2416-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-73-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2500-87-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 22 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe
File opened for modification	\??\PhysicalDrive0	tim.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	pid	process	target process
PID 1756 set thread context of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1152 set thread context of 2500	1152	tim.exe	tim.exe
PID 2896 set thread context of 1256	2896	tim.exe	tim.exe
PID 2092 set thread context of 2068	2092	tim.exe	tim.exe
PID 1700 set thread context of 2100	1700	tim.exe	tim.exe
PID 2228 set thread context of 1956	2228	tim.exe	tim.exe
PID 1828 set thread context of 2632	1828	tim.exe	tim.exe
PID 2380 set thread context of 1480	2380	tim.exe	tim.exe
PID 1476 set thread context of 440	1476	tim.exe	tim.exe
PID 2304 set thread context of 1708	2304	tim.exe	tim.exe
PID 1572 set thread context of 2016	1572	tim.exe	tim.exe
PID 2860 set thread context of 1876	2860	tim.exe	tim.exe
PID 2596 set thread context of 2556	2596	tim.exe	tim.exe
PID 2560 set thread context of 2732	2560	tim.exe	tim.exe
PID 2372 set thread context of 1988	2372	tim.exe	tim.exe
PID 2820 set thread context of 1680	2820	tim.exe	tim.exe
PID 2640 set thread context of 764	2640	tim.exe	tim.exe
PID 1948 set thread context of 1036	1948	tim.exe	tim.exe
PID 1964 set thread context of 1992	1964	tim.exe	tim.exe
PID 1088 set thread context of 2760	1088	tim.exe	iexplore.exe
PID 2504 set thread context of 3000	2504	tim.exe	tim.exe

Drops file in Windows directory 41 IoCs

Processes:

tim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	ioc	process
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File created	C:\Windows\winar\tim.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tim.exetim.exetim.exetim.exetim.exetim.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

pid	process
1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
1152	tim.exe
2896	tim.exe
2092	tim.exe
1700	tim.exe
2228	tim.exe
1828	tim.exe
2380	tim.exe
1476	tim.exe
2304	tim.exe
1572	tim.exe
2860	tim.exe
2596	tim.exe
2560	tim.exe
2372	tim.exe
2820	tim.exe
2640	tim.exe
1948	tim.exe
1964	tim.exe
1088	tim.exe
2504	tim.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exe

description	pid	process	target process
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1756 wrote to memory of 2560	1756	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 2560 wrote to memory of 2416	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 2560 wrote to memory of 2416	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 2560 wrote to memory of 2416	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 2560 wrote to memory of 2416	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 2560 wrote to memory of 2416	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 2560 wrote to memory of 2520	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2520	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2520	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2520	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2520	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2900	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2900	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2900	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2900	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2900	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2116	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2116	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2116	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2116	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2116	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2280	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2280	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2280	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2280	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2280	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2184	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2184	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2184	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2184	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 2184	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1908	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1908	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1908	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1908	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1908	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1896	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1896	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1896	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1896	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1896	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 324	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 324	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 324	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 324	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	iexplore.exe
PID 2560 wrote to memory of 1152	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 2560 wrote to memory of 1152	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 2560 wrote to memory of 1152	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 2560 wrote to memory of 1152	2560	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe
PID 1152 wrote to memory of 2500	1152	tim.exe	tim.exe

C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Loads dropped DLL
PID:2416

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1596

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1796

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:660

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1952

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1264

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
13⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2776

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
15⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2144

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
16⤵
PID:2632

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
17⤵
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3084

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
18⤵
PID:3108

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
19⤵
PID:3148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3708

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:564

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2148

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1972

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1368

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
PID:832

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
13⤵
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1820

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
14⤵
PID:2504

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
15⤵
PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3396

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
16⤵
PID:3620

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
17⤵
PID:3816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:4008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:4028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:4076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1432

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
18⤵
PID:3276

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:796

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2616

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2580

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
PID:764

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2196

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2884

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1352

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
PID:1460

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
PID:3268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3548

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
PID:3596

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
PID:2764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4040

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
PID:3168

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
13⤵
PID:828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3784

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2144

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:2560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:832

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:2632

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3328

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
PID:3368

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
PID:3656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3988

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
PID:4052

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
PID:4084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:3248

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:2504

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2372

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3452

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3136

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:3216

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:3592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4068

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
PID:3604

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
PID:3620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3660

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
PID:4132

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
PID:4256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:4612

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
PID:4768

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3824

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3872

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3000

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3700

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:3880

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:3780

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3672

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3124

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:3604

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:3652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1064

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:4004

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3420

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3000

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3564

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:2500

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:3212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4052

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
PID:4208

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
PID:4344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:4640

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
PID:4760

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3172

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4056

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3640

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:3924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4168

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:4312

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:4848

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:3672

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:4112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4504

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:4564

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
PID:4668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:4880

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:4320

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:4648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4788

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:4684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:324

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2488

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1764

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
b84c6bacadd226389a422c878def902a

SHA1
c8475cfd4b0ff1199a6b02fb213f4fb11886cb07

SHA256
9755f94de1f241c5ac0b1fa9dee88ef18305563510a1d9adb00b3276fadade0d

SHA512
c6146e0ae39aa8f5e3add6d442632dd8e6a451b86ea37676da58f39cb2a46efde3a124f750a084fb1a80560451c42241eaaefb8e5db0564d78cfc6966eee0632

Download Submit
C:\Windows\winar\tim.exe
Filesize
226KB

MD5
ea95c71d3c8f55d6a51ae43dd9cde9d9

SHA1
25460dbd2c7e996de80285971e787fb83e38d32e

SHA256
1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536

SHA512
789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1152-84-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1152-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1152-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1152-78-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1152-77-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1152-74-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1476-629-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1572-673-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1700-160-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1756-48-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1756-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1756-40-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1756-39-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1756-38-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1756-1-0x0000000000390000-0x0000000000395000-memory.dmp

Filesize
20KB

Download
memory/1756-46-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1756-3-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1756-50-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1756-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1756-52-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1756-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1756-44-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1756-37-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1756-36-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1756-34-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1756-33-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1756-32-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1756-31-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1756-30-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1756-29-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1756-28-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1756-27-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1756-26-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1756-25-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1756-24-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1756-23-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1756-22-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1756-21-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1756-20-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1756-19-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1756-18-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1756-16-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1756-15-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1756-12-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1756-41-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1756-13-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1756-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1756-54-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/1756-53-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1756-55-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1756-56-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1756-57-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1756-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1756-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1756-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1756-43-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1756-5-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1756-42-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1756-35-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1756-17-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1756-10-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1828-591-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2092-130-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2228-585-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2304-647-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2380-617-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2416-65-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2416-67-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2500-87-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-58-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-73-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-51-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-49-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-72-0x0000000002F60000-0x0000000002FEE000-memory.dmp

Filesize
568KB

Download
memory/2560-45-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2860-701-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2896-108-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2896-98-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2896-95-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2896-94-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2896-91-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads