xtremerat | a6aa25a34eb8f4369a88050e630847219f7f1f6f68ee66e8c555d819e574e3c5

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe
Size

62KB
MD5

a03e8726d0d48087d51902d0c40b81b4
SHA1

ef632ebe6fe5aac6ad0a144504b8bddce1779a58
SHA256

a6aa25a34eb8f4369a88050e630847219f7f1f6f68ee66e8c555d819e574e3c5
SHA512

ebb7b1bdff9c27a0c7059db193c2e9752c037ef1fc8f982ab883c4b0e66ad7478981c0fbca924cb6016b88ca8b786ea0ded29b99cdea2dd2a203c245bb128feb
SSDEEP

768:q4egZtpjuTZsy8RXLbUKFqjC9PX5u/5uKzotgR:HYd58RXLbUcvv5u/5umoKR

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 63 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1460-7-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe	family_xtremerat
behavioral1/memory/2404-12-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2696-17-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2492-24-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2544-30-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2792-34-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2808-37-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/272-47-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1984-50-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1656-54-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3012-57-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1920-64-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/820-67-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3052-74-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/640-80-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3040-84-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1324-87-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1136-94-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2640-102-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2776-105-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2868-108-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1616-111-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2136-116-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/364-117-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1920-120-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2680-125-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2280-126-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1576-129-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1308-134-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/568-137-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/892-138-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/588-143-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2648-146-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2856-149-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3016-152-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/2820-155-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/1912-156-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/956-159-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3128-162-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3204-167-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3360-170-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3408-171-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3488-176-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3708-177-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3724-180-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4020-183-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3956-184-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4012-187-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3236-192-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3428-195-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3712-198-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3500-199-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4040-202-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3216-207-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3996-210-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3472-211-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/3960-216-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4112-219-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4164-222-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4224-225-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4448-228-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat
behavioral1/memory/4504-229-0x0000000000C80000-0x0000000000C98000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesvchost.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe restart"	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	sleepy.exe

Executes dropped EXE 64 IoCs

Processes:

sleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exe

pid	process
2696	sleepy.exe
2544	sleepy.exe
2492	sleepy.exe
2808	sleepy.exe
2792	sleepy.exe
272	sleepy.exe
1984	sleepy.exe
3012	sleepy.exe
1656	sleepy.exe
820	sleepy.exe
1920	sleepy.exe
640	sleepy.exe
3052	sleepy.exe
3040	sleepy.exe
1324	sleepy.exe
1136	sleepy.exe
2640	sleepy.exe
2776	sleepy.exe
2868	sleepy.exe
1616	sleepy.exe
364	sleepy.exe
1920	sleepy.exe
2136	sleepy.exe
2280	sleepy.exe
2680	sleepy.exe
1576	sleepy.exe
1308	sleepy.exe
568	sleepy.exe
892	sleepy.exe
588	sleepy.exe
2648	sleepy.exe
2856	sleepy.exe
3016	sleepy.exe
1912	sleepy.exe
2820	sleepy.exe
956	sleepy.exe
3128	sleepy.exe
3204	sleepy.exe
3360	sleepy.exe
3408	sleepy.exe
3488	sleepy.exe
3708	sleepy.exe
3724	sleepy.exe
3956	sleepy.exe
4012	sleepy.exe
4020	sleepy.exe
3236	sleepy.exe
3428	sleepy.exe
3500	sleepy.exe
3712	sleepy.exe
4040	sleepy.exe
3216	sleepy.exe
3472	sleepy.exe
3996	sleepy.exe
3960	sleepy.exe
4112	sleepy.exe
4164	sleepy.exe
4224	sleepy.exe
4448	sleepy.exe
4504	sleepy.exe
4592	sleepy.exe
4816	sleepy.exe
4840	sleepy.exe
4896	sleepy.exe

Loads dropped DLL 64 IoCs

Processes:

a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exesleepy.exesvchost.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exe

pid	process
2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe
2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe
2696	sleepy.exe
1460	svchost.exe
1460	svchost.exe
2544	sleepy.exe
1460	svchost.exe
1460	svchost.exe
2808	sleepy.exe
1460	svchost.exe
1460	svchost.exe
272	sleepy.exe
1984	sleepy.exe
3012	sleepy.exe
1460	svchost.exe
1460	svchost.exe
820	sleepy.exe
1460	svchost.exe
1460	svchost.exe
640	sleepy.exe
1460	svchost.exe
1460	svchost.exe
1324	sleepy.exe
1460	svchost.exe
1460	svchost.exe
1460	svchost.exe
1460	svchost.exe
2640	sleepy.exe
1460	svchost.exe
1460	svchost.exe
2868	sleepy.exe
1616	sleepy.exe
1460	svchost.exe
1460	svchost.exe
364	sleepy.exe
1460	svchost.exe
1460	svchost.exe
1920	sleepy.exe
2280	sleepy.exe
1576	sleepy.exe
1460	svchost.exe
1460	svchost.exe
1308	sleepy.exe
892	sleepy.exe
1460	svchost.exe
1460	svchost.exe
588	sleepy.exe
1460	svchost.exe
1460	svchost.exe
2856	sleepy.exe
3016	sleepy.exe
1912	sleepy.exe
956	sleepy.exe
3128	sleepy.exe
1460	svchost.exe
1460	svchost.exe
3204	sleepy.exe
3360	sleepy.exe
3408	sleepy.exe
3708	sleepy.exe
3724	sleepy.exe
1460	svchost.exe
1460	svchost.exe
3956	sleepy.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exea03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exesleepy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\sleepy.exe"	sleepy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exesleepy.exe

description	pid	process	target process
PID 2404 wrote to memory of 1460	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	svchost.exe
PID 2404 wrote to memory of 1460	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	svchost.exe
PID 2404 wrote to memory of 1460	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	svchost.exe
PID 2404 wrote to memory of 1460	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	svchost.exe
PID 2404 wrote to memory of 1460	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	svchost.exe
PID 2404 wrote to memory of 1724	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1724	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1724	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1724	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1724	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3036	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3036	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3036	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3036	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3036	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2356	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2356	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2356	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2356	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2356	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1652	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1652	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1652	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1652	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1652	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3064	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3064	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3064	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3064	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 3064	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1996	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1996	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1996	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1996	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 1996	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2288	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2288	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2288	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2288	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2288	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2608	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2608	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2608	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2608	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	iexplore.exe
PID 2404 wrote to memory of 2696	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	sleepy.exe
PID 2404 wrote to memory of 2696	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	sleepy.exe
PID 2404 wrote to memory of 2696	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	sleepy.exe
PID 2404 wrote to memory of 2696	2404	a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe	sleepy.exe
PID 2696 wrote to memory of 2604	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2604	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2604	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2604	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2604	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2716	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2716	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2716	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2716	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2716	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2660	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2660	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2660	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2660	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2660	2696	sleepy.exe	iexplore.exe
PID 2696 wrote to memory of 2488	2696	sleepy.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a03e8726d0d48087d51902d0c40b81b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1612
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:272
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1484
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2468
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2752
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:384
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:928
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        8⤵
        Executes dropped EXE
        
        PID:3040
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:612
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:924
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1324
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2196
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2016
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1136
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2624
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2500
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2816
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:744
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:364
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3668
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2776
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1260
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:428
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1072
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2812
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1528
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2408
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1904
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2324
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2068
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2700
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1164
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:2648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1780
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2856
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1104
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2736
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:2820
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3012
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1912
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1324
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2328
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:588
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1588
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2856
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3156
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3176
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3220
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3252
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3272
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3288
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3308
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3768
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:3408
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3432
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3476
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3520
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:3724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3784
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3804
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3860
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3876
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4868
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Executes dropped EXE
    PID:4020
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3500
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3676
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3964
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:3216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2644
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3716
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:900
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        8⤵
        Adds Run key to start application
        
        PID:4960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        9⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:4100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        10⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        11⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4172
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    PID:3996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4164
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4284
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4312
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4336
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4388
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:4504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4540
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4644
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4672
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4696
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4748
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        Executes dropped EXE
        
        PID:4840
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4896
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:5080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3792
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3960
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4212
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:4196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4528
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4536
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4800
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4764
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
        5⤵
        
        PID:4944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4516
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:4464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4564
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    PID:4988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4120
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4476
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5084
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1724
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3036
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1652
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1996
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2288
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2716
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2660
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2488
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2340
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1180
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:520
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe"
      4⤵
      Executes dropped EXE
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallDir\sleepy.exe

Filesize
62KB

MD5
a03e8726d0d48087d51902d0c40b81b4

SHA1
ef632ebe6fe5aac6ad0a144504b8bddce1779a58

SHA256
a6aa25a34eb8f4369a88050e630847219f7f1f6f68ee66e8c555d819e574e3c5

SHA512
ebb7b1bdff9c27a0c7059db193c2e9752c037ef1fc8f982ab883c4b0e66ad7478981c0fbca924cb6016b88ca8b786ea0ded29b99cdea2dd2a203c245bb128feb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
ae261bd6d3a4ec4c821f8641198704b2

SHA1
95daeccddeba86e589b7d2acb4aafa60a33547cd

SHA256
b69e3d62cc50f777cd11bbc5e2ccb5caad58de98344604c808ba06697771c230

SHA512
6dd3ef1e0441f91fc0dbe436a0e84c8945b25086b80ec5942c22685cfbfba78ed5adf771c95d77931c7a6678e62a29e4339755ffe7dd861707e803f6b8a02b86

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/272-47-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/364-117-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/568-137-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/588-143-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/640-80-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/820-67-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/892-138-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/956-159-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1136-94-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1308-134-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1324-87-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1460-5-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1460-7-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1576-129-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1616-111-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1656-54-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1912-156-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1920-64-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1920-120-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1984-50-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2136-116-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2280-126-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2404-12-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2492-24-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2544-30-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2640-102-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2648-146-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2680-125-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2696-17-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2776-105-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2792-34-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2808-37-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2820-155-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2856-149-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/2868-108-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3012-57-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3016-152-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3040-84-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3052-74-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3128-162-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3204-167-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3216-207-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3236-192-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3360-170-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3408-171-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3428-195-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3472-211-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3488-176-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3500-199-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3708-177-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3712-198-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3724-180-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3956-184-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3960-216-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/3996-210-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4012-187-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4020-183-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4040-202-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4112-219-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4164-222-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4224-225-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4448-228-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/4504-229-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download