5504c20f7875172aac0f018ed73f2abe0443bffce5d1da10f6692c9be3932cbc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 08:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe
Size

6KB
MD5

f555376d1ba616398abf591172c7b18c
SHA1

0f451c3089b4b754530b08147aece7a5e58f2888
SHA256

5504c20f7875172aac0f018ed73f2abe0443bffce5d1da10f6692c9be3932cbc
SHA512

c43d713d0df5984a097e636895d5c9e88415a30d380237b1da8197b70328732d8998190358c57b7bc8f4c5384aff83829dfc0a2a45171be631fbf1191bf3ce63
SSDEEP

192:nnxZ+Z/mr9pSWsllVdWOVv00Dg8KblbyL+D:WhmbilVdJVvrDg88byL6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	USBWorm.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe
1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TestUSBWorm = "C:\\Windows\\system32\\USBWorm.exe"	reg.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	USBWorm.exe
File opened for modification	C:\AutoRun.inf	USBWorm.exe
File created	F:\AutoRun.inf	USBWorm.exe
File opened for modification	F:\AutoRun.inf	USBWorm.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\USBWorm.exe	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\USBWorm.exe	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2992	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2992	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2992	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2992	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2908	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	30
PID 1400 wrote to memory of 2908	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	30
PID 1400 wrote to memory of 2908	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	30
PID 1400 wrote to memory of 2908	1400	f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2516	2908	USBWorm.exe	31
PID 2908 wrote to memory of 2516	2908	USBWorm.exe	31
PID 2908 wrote to memory of 2516	2908	USBWorm.exe	31
PID 2908 wrote to memory of 2516	2908	USBWorm.exe	31
PID 2992 wrote to memory of 2540	2992	cmd.exe	32
PID 2992 wrote to memory of 2540	2992	cmd.exe	32
PID 2992 wrote to memory of 2540	2992	cmd.exe	32
PID 2992 wrote to memory of 2540	2992	cmd.exe	32
PID 2908 wrote to memory of 2512	2908	USBWorm.exe	34
PID 2908 wrote to memory of 2512	2908	USBWorm.exe	34
PID 2908 wrote to memory of 2512	2908	USBWorm.exe	34
PID 2908 wrote to memory of 2512	2908	USBWorm.exe	34
PID 2512 wrote to memory of 2596	2512	cmd.exe	36
PID 2512 wrote to memory of 2596	2512	cmd.exe	36
PID 2512 wrote to memory of 2596	2512	cmd.exe	36
PID 2512 wrote to memory of 2596	2512	cmd.exe	36
PID 2908 wrote to memory of 2804	2908	USBWorm.exe	37
PID 2908 wrote to memory of 2804	2908	USBWorm.exe	37
PID 2908 wrote to memory of 2804	2908	USBWorm.exe	37
PID 2908 wrote to memory of 2804	2908	USBWorm.exe	37
PID 2804 wrote to memory of 528	2804	cmd.exe	39
PID 2804 wrote to memory of 528	2804	cmd.exe	39
PID 2804 wrote to memory of 528	2804	cmd.exe	39
PID 2804 wrote to memory of 528	2804	cmd.exe	39
PID 2908 wrote to memory of 372	2908	USBWorm.exe	40
PID 2908 wrote to memory of 372	2908	USBWorm.exe	40
PID 2908 wrote to memory of 372	2908	USBWorm.exe	40
PID 2908 wrote to memory of 372	2908	USBWorm.exe	40
PID 372 wrote to memory of 2652	372	cmd.exe	42
PID 372 wrote to memory of 2652	372	cmd.exe	42
PID 372 wrote to memory of 2652	372	cmd.exe	42
PID 372 wrote to memory of 2652	372	cmd.exe	42
PID 2908 wrote to memory of 2812	2908	USBWorm.exe	43
PID 2908 wrote to memory of 2812	2908	USBWorm.exe	43
PID 2908 wrote to memory of 2812	2908	USBWorm.exe	43
PID 2908 wrote to memory of 2812	2908	USBWorm.exe	43
PID 2812 wrote to memory of 1116	2812	cmd.exe	45
PID 2812 wrote to memory of 1116	2812	cmd.exe	45
PID 2812 wrote to memory of 1116	2812	cmd.exe	45
PID 2812 wrote to memory of 1116	2812	cmd.exe	45
PID 2908 wrote to memory of 1928	2908	USBWorm.exe	46
PID 2908 wrote to memory of 1928	2908	USBWorm.exe	46
PID 2908 wrote to memory of 1928	2908	USBWorm.exe	46
PID 2908 wrote to memory of 1928	2908	USBWorm.exe	46
PID 1928 wrote to memory of 2028	1928	cmd.exe	48
PID 1928 wrote to memory of 2028	1928	cmd.exe	48
PID 1928 wrote to memory of 2028	1928	cmd.exe	48
PID 1928 wrote to memory of 2028	1928	cmd.exe	48
PID 2908 wrote to memory of 1648	2908	USBWorm.exe	49
PID 2908 wrote to memory of 1648	2908	USBWorm.exe	49
PID 2908 wrote to memory of 1648	2908	USBWorm.exe	49
PID 2908 wrote to memory of 1648	2908	USBWorm.exe	49
PID 1648 wrote to memory of 2400	1648	cmd.exe	51
PID 1648 wrote to memory of 2400	1648	cmd.exe	51
PID 1648 wrote to memory of 2400	1648	cmd.exe	51
PID 1648 wrote to memory of 2400	1648	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f555376d1ba616398abf591172c7b18c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c bat.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg import key.reg
    3⤵
    PID:2540
- C:\Windows\SysWOW64\USBWorm.exe
  C:\Windows\system32\USBWorm.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1284
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:416
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:608
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:580
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:564
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:308
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:416
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:308
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:484
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:800
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:708
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      Adds Run key to start application
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c bat.bat
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      reg import key.reg
      4⤵
      PID:1728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
47B

MD5
3f73e850701f2426bad7b8bea0481018

SHA1
9499fa5bdb83f2eaf5d63f619c1662dee24bf1a7

SHA256
9c26df4e24dd3e95a5789f20890b9f6e3f36b4bb6ae516ffe932c4b3d082a189

SHA512
8a5c6171329890edd6a92b70bc82c1ccc35dfb3be40f73a62c0ae43b7a969785b3b8f71f6495e35d23ddb3856a7791c041b75bcfc3dc312775cd56faedeb75eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.reg

Filesize
128B

MD5
50af90903ae80bf4b1a464d13af52160

SHA1
d4578c7f6f80a752fa8cec8f532631ec4c638675

SHA256
fe652c72c6ea2151a98d69a2c8bde2ae18e94a06ed640c0280be1ce3428f296b

SHA512
8d29de335b0ba6d50ca998c3359839c63b11f66201ed9726d4c8e9a9a60f9145f6817065729355ba848d6a68f8963ea77c002313be5fefbf76c8b0151d2f6898

Download Submit
\Windows\SysWOW64\USBWorm.exe

Filesize
6KB

MD5
f555376d1ba616398abf591172c7b18c

SHA1
0f451c3089b4b754530b08147aece7a5e58f2888

SHA256
5504c20f7875172aac0f018ed73f2abe0443bffce5d1da10f6692c9be3932cbc

SHA512
c43d713d0df5984a097e636895d5c9e88415a30d380237b1da8197b70328732d8998190358c57b7bc8f4c5384aff83829dfc0a2a45171be631fbf1191bf3ce63

Download Submit
memory/1400-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1400-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1400-18-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2340-561-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2340-34-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2340-35-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/2908-1074-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-1307-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-520-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-702-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-883-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-270-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-519-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-1491-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-1672-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-1853-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-2084-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-2265-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-2456-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-2637-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-2868-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads