xtremerat | 84f122fef590559137031773773218340a7e39af5e23a0167feacca2226406b8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
Size

19KB
MD5

ead49efd7212c6db7581dd0a0289da0d
SHA1

aebda29d201d12901d62e2986ae8df64402ef7db
SHA256

84f122fef590559137031773773218340a7e39af5e23a0167feacca2226406b8
SHA512

9cd1dc5b963ff8e8d69836da908cd12dbb2c1b9e9cd5cffcbd6cb8792f89d0f9dece74b79e84b63140f216b8cc59885113eb512e0fd9c233abdf1a638f08614d
SSDEEP

384:3HKZfuH87GowDqGoMwevqxP6k6zIDwPVBSHGuwa3BDLx6Q7R:aZfuHUvwDKP6kMpaGux1Iy

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2284-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2128-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2128-26-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2708-27-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2708-40-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2988-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/816-52-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/816-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1984-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1984-75-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2216-77-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1460-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2216-89-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1460-100-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2076-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2076-114-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2076-116-0x0000000002BD0000-0x0000000002BE5000-memory.dmp	family_xtremerat
behavioral1/memory/2376-117-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2376-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/912-128-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/912-140-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1108-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1108-152-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2908-154-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2768-168-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2908-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2768-178-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1136-180-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1136-192-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1980-195-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1980-204-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1904-206-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1904-215-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2608-217-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2608-225-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2152-226-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2152-235-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2112-236-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2112-244-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1552-245-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1552-254-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2688-255-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2688-264-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1428-265-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1428-274-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2772-275-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2772-283-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2800-284-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2800-293-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1948-294-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1948-302-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3088-303-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3088-312-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3228-313-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3228-321-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3372-322-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3372-331-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3516-333-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3516-341-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3656-342-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3796-352-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3656-351-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3796-360-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3936-361-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

windll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exeead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Windows\\system32\\InstallDir\\windll.exe restart"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R1F1O22J-AK52-3J3M-S068-W4I3RG1Q5V4U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe restart"	windll.exe

Executes dropped EXE 32 IoCs

Processes:

windll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exe

pid	process
2128	windll.exe
2708	windll.exe
2988	windll.exe
816	windll.exe
1984	windll.exe
2216	windll.exe
1460	windll.exe
2076	windll.exe
2376	windll.exe
912	windll.exe
1108	windll.exe
2908	windll.exe
2768	windll.exe
1136	windll.exe
1980	windll.exe
1904	windll.exe
2608	windll.exe
2152	windll.exe
2112	windll.exe
1552	windll.exe
2688	windll.exe
1428	windll.exe
2772	windll.exe
2800	windll.exe
1948	windll.exe
3088	windll.exe
3228	windll.exe
3372	windll.exe
3516	windll.exe
3656	windll.exe
3796	windll.exe
3936	windll.exe

Loads dropped DLL 49 IoCs

Processes:

ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exewindll.exe

pid	process
2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
2128	windll.exe
2128	windll.exe
2708	windll.exe
2708	windll.exe
2988	windll.exe
816	windll.exe
816	windll.exe
1984	windll.exe
2216	windll.exe
2216	windll.exe
1460	windll.exe
2076	windll.exe
2076	windll.exe
2376	windll.exe
912	windll.exe
912	windll.exe
1108	windll.exe
2908	windll.exe
2908	windll.exe
2768	windll.exe
1136	windll.exe
1136	windll.exe
1980	windll.exe
1904	windll.exe
1904	windll.exe
2608	windll.exe
2152	windll.exe
2152	windll.exe
2112	windll.exe
1552	windll.exe
1552	windll.exe
2688	windll.exe
1428	windll.exe
1428	windll.exe
2772	windll.exe
2800	windll.exe
2800	windll.exe
1948	windll.exe
3088	windll.exe
3088	windll.exe
3228	windll.exe
3372	windll.exe
3372	windll.exe
3516	windll.exe
3656	windll.exe
3656	windll.exe
3796	windll.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2284-0-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
\Windows\SysWOW64\InstallDir\windll.exe	upx
behavioral1/memory/2284-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2128-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2128-26-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2708-27-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2708-40-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2988-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2988-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/816-52-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/816-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1984-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1984-75-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2216-77-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1460-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2216-89-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1460-100-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2076-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2076-114-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2376-117-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2376-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/912-128-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/912-140-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1108-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1108-152-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2908-154-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2768-168-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2908-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2768-178-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1136-180-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/912-194-0x0000000002A90000-0x0000000002AA5000-memory.dmp	upx
behavioral1/memory/1136-192-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1980-195-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1980-204-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1904-206-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1904-215-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2608-217-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2608-225-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2152-226-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2152-235-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2112-236-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2112-244-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1552-245-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1552-254-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2688-255-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2688-264-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1428-265-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1428-274-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2772-275-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2772-283-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2800-284-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2800-293-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1948-294-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1948-302-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3088-303-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3088-312-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3228-313-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3228-321-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3372-322-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3372-331-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3516-333-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3516-341-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3656-342-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3796-352-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\windll.exe"	windll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\windll.exe"	windll.exe

Drops file in System32 directory 50 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File created	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\windll.exe	windll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exewindll.exe

description	pid	process	target process
PID 2284 wrote to memory of 2188	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2188	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2188	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2188	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2188	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2196	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2196	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2196	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2196	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2196	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2540	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2540	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2540	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2540	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2540	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2208	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2208	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2208	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2208	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2208	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2168	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2168	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2168	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2168	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2168	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3008	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3008	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3008	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3008	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3008	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3028	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3028	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3028	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3028	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3028	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3032	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3032	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3032	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 3032	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	iexplore.exe
PID 2284 wrote to memory of 2128	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	windll.exe
PID 2284 wrote to memory of 2128	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	windll.exe
PID 2284 wrote to memory of 2128	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	windll.exe
PID 2284 wrote to memory of 2128	2284	ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe	windll.exe
PID 2128 wrote to memory of 2652	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2652	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2652	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2652	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2652	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2644	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2644	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2644	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2644	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2644	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2548	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2548	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2548	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2548	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2548	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2832	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2832	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2832	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2832	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2832	2128	windll.exe	iexplore.exe
PID 2128 wrote to memory of 2700	2128	windll.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead49efd7212c6db7581dd0a0289da0d_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:3008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:3028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:3032

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2636

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2744

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2020

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2752

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2116

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1476

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1488

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2384

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2324

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1776

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2444

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
13⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1572

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2236

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
15⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2060

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:3056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:3068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1744

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
17⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2128

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1520

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
19⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:284

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2408

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
21⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2600

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2272

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
23⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:620

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2908

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
25⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2740

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2876

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
27⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3212

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3356

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
29⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3500

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3640

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
31⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3780

C:\Windows\SysWOW64\InstallDir\windll.exe
"C:\Windows\system32\InstallDir\windll.exe"
32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3920

C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\windll.exe"
33⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
34⤵
PID:3988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
34⤵
PID:3996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
34⤵
PID:4008

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pX4P6l.cfg
Filesize
1KB

MD5
e9c605174383871ec3bcced0f7ef6ef2

SHA1
3a2386b8fdad2f0600403d7673e5d527d211fd17

SHA256
73480e281f141b198c24992a73e35f702b13e14b47c1974dbafcd67ec10d9fb4

SHA512
627d2fc05a9f3cc5f059cf6209a1019bfa6e4f8f411b2c91b8e246203f0b99593106e9f2140012aa96fc200547c0e764aafce340be05c1e2b98af986d0819fef

Download Submit
\Windows\SysWOW64\InstallDir\windll.exe
Filesize
19KB

MD5
ead49efd7212c6db7581dd0a0289da0d

SHA1
aebda29d201d12901d62e2986ae8df64402ef7db

SHA256
84f122fef590559137031773773218340a7e39af5e23a0167feacca2226406b8

SHA512
9cd1dc5b963ff8e8d69836da908cd12dbb2c1b9e9cd5cffcbd6cb8792f89d0f9dece74b79e84b63140f216b8cc59885113eb512e0fd9c233abdf1a638f08614d

Download Submit
memory/816-64-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/816-52-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/912-194-0x0000000002A90000-0x0000000002AA5000-memory.dmp

Filesize
84KB

Download
memory/912-142-0x0000000002A90000-0x0000000002AA5000-memory.dmp

Filesize
84KB

Download
memory/912-140-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/912-128-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1108-152-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1108-143-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1136-192-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1136-180-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1428-274-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1428-265-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1460-100-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1460-91-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1552-245-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1552-254-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1904-215-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1904-216-0x0000000002A90000-0x0000000002AA5000-memory.dmp

Filesize
84KB

Download
memory/1904-259-0x0000000002A90000-0x0000000002AA5000-memory.dmp

Filesize
84KB

Download
memory/1904-206-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1948-294-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1948-302-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1980-204-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1980-195-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1984-75-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1984-66-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2076-102-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2076-116-0x0000000002BD0000-0x0000000002BE5000-memory.dmp

Filesize
84KB

Download
memory/2076-114-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2076-172-0x0000000002BD0000-0x0000000002BE5000-memory.dmp

Filesize
84KB

Download
memory/2112-244-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2112-236-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2128-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2128-26-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2152-226-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2152-235-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2216-77-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2216-89-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2284-0-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2284-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2284-13-0x0000000002BD0000-0x0000000002BE5000-memory.dmp

Filesize
84KB

Download
memory/2376-126-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2376-117-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2608-217-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2608-225-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2688-255-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2688-264-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2708-27-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2708-40-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2768-178-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2768-168-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2772-275-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2772-283-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2800-284-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2800-293-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2908-166-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2908-154-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2988-41-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2988-50-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3088-312-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3088-303-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3228-313-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3228-321-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3372-322-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3372-331-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3372-332-0x0000000002BE0000-0x0000000002BF5000-memory.dmp

Filesize
84KB

Download
memory/3516-333-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3516-341-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3656-342-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3656-351-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3796-352-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3796-360-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3936-361-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads