xtremerat | f9a216ea7cad2d3b950157140054a44be53208dadfb2cf370750e1d1b11ae3c9

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Size

794KB
MD5

f6fb5d75bf7566772a043526fc3a2508
SHA1

96bf4f9f083d3e290356fc9fc652fd10ea979997
SHA256

f9a216ea7cad2d3b950157140054a44be53208dadfb2cf370750e1d1b11ae3c9
SHA512

83a0cc2d06a7a76b40b601cbc667d00c7c9e977b2472258019dd30fb7d7604af6f58bd80655dc1789077f72e275a9b94eb98f90f98f54dfa3dc10ed024a4ecb0
SSDEEP

12288:FnQSEnzQ6FcnUqma7elTcqifgMUAzx7uokpnelS2RKFn9ReDxSbsOCSsuZ:JuzQq6UqwlTcqY7epnePd81NZ

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

3r9-99.no-ip.org

Signatures

Detect XtremeRAT payload 42 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-3-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2364-4-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2364-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2364-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2696-14-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2364-23-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2652-34-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2652-36-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2632-46-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2632-49-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1952-59-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1952-61-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/964-71-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/964-75-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2880-84-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2880-87-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2500-96-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2500-100-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1936-109-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1936-111-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2852-121-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2852-125-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3024-134-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3024-136-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2400-146-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2400-150-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1892-159-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1892-162-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/748-171-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/748-175-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2888-184-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2888-187-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/928-196-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/928-200-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2956-210-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2956-213-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2412-223-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2412-227-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1728-237-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1728-240-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2924-250-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2924-254-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\erxll.exe restart"	erxll.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2696 explorer.exe

pid	process
2696	explorer.exe

Executes dropped EXE 51 IoCs

Processes:

erxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exe

pid	process
2768	erxll.exe
2652	erxll.exe
2388	erxll.exe
2632	erxll.exe
804	erxll.exe
1952	erxll.exe
1604	erxll.exe
964	erxll.exe
1360	erxll.exe
2880	erxll.exe
2596	erxll.exe
2500	erxll.exe
828	erxll.exe
1936	erxll.exe
564	erxll.exe
2852	erxll.exe
1388	erxll.exe
3024	erxll.exe
2564	erxll.exe
2400	erxll.exe
2644	erxll.exe
1892	erxll.exe
1952	erxll.exe
748	erxll.exe
1000	erxll.exe
2888	erxll.exe
1756	erxll.exe
928	erxll.exe
2968	erxll.exe
2956	erxll.exe
2664	erxll.exe
2412	erxll.exe
1248	erxll.exe
1728	erxll.exe
1000	erxll.exe
2924	erxll.exe
2728	erxll.exe
2700	erxll.exe
2736	erxll.exe
2632	erxll.exe
1716	erxll.exe
2880	erxll.exe
3052	erxll.exe
1260	erxll.exe
1716	erxll.exe
2856	erxll.exe
1788	erxll.exe
2508	erxll.exe
1716	erxll.exe
1304	erxll.exe
3096	erxll.exe

Loads dropped DLL 2 IoCs

Processes:

f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

pid process

2364 f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
2364 f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

pid	process
2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

erxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exef6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	erxll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxl = "C:\\Windows\\InstallDir\\erxll.exe"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

Drops file in System32 directory 54 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe
File opened for modification	C:\Windows\SysWOW64\MSVBVM60.DLL	erxll.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exe

description	pid	process	target process
PID 1116 set thread context of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 2768 set thread context of 2652	2768	erxll.exe	erxll.exe
PID 2388 set thread context of 2632	2388	erxll.exe	erxll.exe
PID 804 set thread context of 1952	804	erxll.exe	erxll.exe
PID 1604 set thread context of 964	1604	erxll.exe	erxll.exe
PID 1360 set thread context of 2880	1360	erxll.exe	erxll.exe
PID 2596 set thread context of 2500	2596	erxll.exe	erxll.exe
PID 828 set thread context of 1936	828	erxll.exe	erxll.exe
PID 564 set thread context of 2852	564	erxll.exe	erxll.exe
PID 1388 set thread context of 3024	1388	erxll.exe	erxll.exe
PID 2564 set thread context of 2400	2564	erxll.exe	erxll.exe
PID 2644 set thread context of 1892	2644	erxll.exe	erxll.exe
PID 1952 set thread context of 748	1952	erxll.exe	erxll.exe
PID 1000 set thread context of 2888	1000	erxll.exe	erxll.exe
PID 1756 set thread context of 928	1756	erxll.exe	erxll.exe
PID 2968 set thread context of 2956	2968	erxll.exe	erxll.exe
PID 2664 set thread context of 2412	2664	erxll.exe	erxll.exe
PID 1248 set thread context of 1728	1248	erxll.exe	erxll.exe
PID 1000 set thread context of 2924	1000	erxll.exe	erxll.exe
PID 2728 set thread context of 2700	2728	erxll.exe	erxll.exe
PID 2736 set thread context of 2632	2736	erxll.exe	erxll.exe
PID 1716 set thread context of 2880	1716	erxll.exe	erxll.exe
PID 3052 set thread context of 1260	3052	erxll.exe	erxll.exe
PID 1716 set thread context of 2856	1716	erxll.exe	erxll.exe
PID 1788 set thread context of 2508	1788	erxll.exe	erxll.exe
PID 1716 set thread context of 1304	1716	erxll.exe	erxll.exe

Drops file in Windows directory 2 IoCs

Processes:

f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\InstallDir\erxll.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\erxll.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

erxll.exef6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exeerxll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\ = "VBPropertyBag"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\TypeLib	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\TypeLib	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ = "_Collection"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\ = "VBPropertyBag"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\ = "AsyncProperty"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\ProxyStubClsid32	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\MSVBVM60.DLL\\3"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\Version = "6.0"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\TypeLib	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\ = "VBPropertyBag"	erxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid32	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

pid	process
1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
2768	erxll.exe
2388	erxll.exe
804	erxll.exe
1604	erxll.exe
1360	erxll.exe
2596	erxll.exe
828	erxll.exe
564	erxll.exe
1388	erxll.exe
2564	erxll.exe
2644	erxll.exe
1952	erxll.exe
1000	erxll.exe
1756	erxll.exe
2968	erxll.exe
2664	erxll.exe
1248	erxll.exe
1000	erxll.exe
2728	erxll.exe
2736	erxll.exe
1716	erxll.exe
3052	erxll.exe
1716	erxll.exe
1788	erxll.exe
1716	erxll.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exef6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exeerxll.exe

description	pid	process	target process
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 1116 wrote to memory of 2364	1116	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
PID 2364 wrote to memory of 2668	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2668	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2668	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2668	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2696	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	explorer.exe
PID 2364 wrote to memory of 2696	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	explorer.exe
PID 2364 wrote to memory of 2696	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	explorer.exe
PID 2364 wrote to memory of 2696	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	explorer.exe
PID 2364 wrote to memory of 2696	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	explorer.exe
PID 2364 wrote to memory of 2668	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2556	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2556	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2556	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2556	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2556	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2408	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2408	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2408	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2408	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2408	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 3020	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 3020	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 3020	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 3020	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 3020	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2560	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2560	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2560	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2560	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2560	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 864	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 864	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 864	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 864	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 864	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2804	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2804	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2804	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2804	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2804	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2724	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2724	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2724	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2724	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	iexplore.exe
PID 2364 wrote to memory of 2768	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	erxll.exe
PID 2364 wrote to memory of 2768	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	erxll.exe
PID 2364 wrote to memory of 2768	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	erxll.exe
PID 2364 wrote to memory of 2768	2364	f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe	erxll.exe
PID 2768 wrote to memory of 2652	2768	erxll.exe	erxll.exe
PID 2768 wrote to memory of 2652	2768	erxll.exe	erxll.exe

C:\Users\Admin\AppData\Local\Temp\f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2668

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Deletes itself
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:3020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2724

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1740

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2376

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2876

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1480

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2440

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:700

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2220

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:564

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1516

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2600

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2460

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:756

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2948

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:1712

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:1240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:2796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:2340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:2480

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:1556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:2708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:2776

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:2628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:2740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:1780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:1896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
35⤵
PID:944

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
37⤵
PID:1276

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
38⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:2812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:1252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:2276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
39⤵
PID:1012

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:1180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
41⤵
PID:2696

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
42⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:2952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
43⤵
PID:908

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
44⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:3008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:1020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
45⤵
PID:2852

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
46⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:1560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:1520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
47⤵
PID:344

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:2664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:1796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:1132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:1160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
49⤵
PID:1804

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
50⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:1692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:1248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
51⤵
PID:924

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
52⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:2260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:2508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:3052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:2712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
53⤵
PID:3084

C:\Windows\InstallDir\erxll.exe
"C:\Windows\InstallDir\erxll.exe"
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3096

C:\Windows\InstallDir\erxll.exe
C:\Windows\InstallDir\erxll.exe
54⤵
PID:3120

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
530fc5e399b10fa79e72af28634c5a52

SHA1
541d97e40da58fbc59074849639548f2f4083b50

SHA256
2e9e82cfdaf61a4cca91bad42f31da60d1098489593e841c4e8d9f5bf0595702

SHA512
c3dec8bb5da7150a9de6a5155f8a092534dc05d364e8fc4227e64e278b3e7bb8c659c302a953e3f0f3d38f423281ab94925868ab9528c4ed39d428f920477d5d

Download Submit
\Windows\InstallDir\erxll.exe
Filesize
794KB

MD5
f6fb5d75bf7566772a043526fc3a2508

SHA1
96bf4f9f083d3e290356fc9fc652fd10ea979997

SHA256
f9a216ea7cad2d3b950157140054a44be53208dadfb2cf370750e1d1b11ae3c9

SHA512
83a0cc2d06a7a76b40b601cbc667d00c7c9e977b2472258019dd30fb7d7604af6f58bd80655dc1789077f72e275a9b94eb98f90f98f54dfa3dc10ed024a4ecb0

Download Submit
memory/564-113-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/564-119-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/748-175-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/748-171-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/804-57-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/804-51-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/828-107-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/828-102-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/928-200-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/928-196-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/964-75-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/964-71-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1000-249-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1000-177-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1000-242-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1000-182-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1116-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1116-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-236-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-229-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1360-77-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1360-81-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-132-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-127-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1604-63-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1604-69-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1728-237-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1728-240-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1756-188-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1756-193-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1892-159-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1892-162-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1936-111-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1936-109-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1952-163-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1952-169-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1952-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1952-59-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2364-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2364-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2364-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2364-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2364-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2364-23-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2388-44-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2388-38-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2400-146-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2400-150-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2412-227-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2412-223-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2500-100-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2500-96-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2564-138-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2564-144-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2596-89-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2596-94-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2632-49-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2632-46-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2644-152-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-157-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2652-36-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2652-34-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2664-215-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2664-222-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2696-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2696-14-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2728-263-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2728-256-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2768-30-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2768-24-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2852-121-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2852-125-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2880-84-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2880-87-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2888-187-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2888-184-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2924-250-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2924-254-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2956-210-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2956-213-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2968-202-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2968-209-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3024-134-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3024-136-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads