xtremerat | 167d8b5e0392d57036e84f7bf0a11b4eb65b375a748d9a1577b41bbcd09e5a4f

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe
Size

265KB
MD5

09af6af8414796014eadbaf0c7e51299
SHA1

5b2b4d6a2085467da0305fc4d86e994a1e595ff5
SHA256

167d8b5e0392d57036e84f7bf0a11b4eb65b375a748d9a1577b41bbcd09e5a4f
SHA512

a90e218edc60741245cb15019a3cfd940ccec9052e5136c7da0f5f6e8c80ce631268d2440f44663575016352932015ac780bce1525d54bcb53d987dfd95a9b43
SSDEEP

6144:QTsztutahaAz4PIrX+LieeVRegtjU8Lcsaesxwrq:QTQtutBAcPpeVRegZU8Arl

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 47 IoCs

resource	yara_rule
behavioral1/memory/2320-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2320-30-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2788-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2788-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1536-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1744-44-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1536-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2040-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2040-56-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1664-60-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1704-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2948-71-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/900-72-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/900-77-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1964-83-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2620-85-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2620-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2392-96-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/848-103-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2052-104-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2052-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1152-114-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1512-115-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1512-119-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1156-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1156-124-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/844-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/844-131-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1916-132-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1916-137-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1496-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1496-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/264-144-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/264-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2940-155-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2160-153-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2940-160-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3236-162-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3236-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3380-171-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3672-177-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3528-176-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3672-182-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3820-188-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3968-189-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3968-193-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1396-194-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	file1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	file1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JRR20L0-E482-5NG7-4LN3-3LTL26HBVTDP}\StubPath = "C:\\Windows\\Java\\Rundll.exe restart"	Rundll.exe

Executes dropped EXE 30 IoCs

pid	Process
2320	file1.exe
2788	Rundll.exe
1744	Rundll.exe
1536	Rundll.exe
2040	Rundll.exe
1664	Rundll.exe
1704	Rundll.exe
2948	Rundll.exe
900	Rundll.exe
1964	Rundll.exe
2620	Rundll.exe
2392	Rundll.exe
848	Rundll.exe
2052	Rundll.exe
1152	Rundll.exe
1512	Rundll.exe
1156	Rundll.exe
844	Rundll.exe
1916	Rundll.exe
1496	Rundll.exe
264	Rundll.exe
2160	Rundll.exe
2940	Rundll.exe
3236	Rundll.exe
3380	Rundll.exe
3528	Rundll.exe
3672	Rundll.exe
3820	Rundll.exe
3968	Rundll.exe
1396	Rundll.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	file1.exe
2320	file1.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c000000013522-9.dat	upx
behavioral1/memory/2320-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2320-30-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2320-31-0x0000000075C40000-0x0000000075C44000-memory.dmp	upx
behavioral1/memory/2788-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2788-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1744-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1536-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1744-44-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1536-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2040-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2040-56-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1704-61-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1664-60-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1704-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2948-71-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/900-72-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/900-77-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1964-83-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1964-81-0x00000000025A0000-0x00000000025A8000-memory.dmp	upx
behavioral1/memory/2620-85-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2620-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2392-92-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2392-96-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/848-97-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/848-103-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2052-104-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2052-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1152-114-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1512-115-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1512-119-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1156-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1156-124-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/844-126-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/844-131-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1916-132-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1916-137-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1496-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1496-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/264-144-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/264-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2160-150-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2940-155-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2160-153-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2940-160-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3236-162-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3236-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3380-171-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3672-177-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3528-176-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3672-182-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3820-188-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3968-189-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3968-193-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1396-194-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	file1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	file1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java-- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java- = "C:\\Windows\\Java\\Rundll.exe"	Rundll.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File created	C:\Windows\Java\Rundll.exe	file1.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	file1.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe
File opened for modification	C:\Windows\Java\Rundll.exe	Rundll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe
Token: 33	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2320	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2320	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2320	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2320	2432	09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2680	2320	file1.exe	29
PID 2320 wrote to memory of 2680	2320	file1.exe	29
PID 2320 wrote to memory of 2680	2320	file1.exe	29
PID 2320 wrote to memory of 2680	2320	file1.exe	29
PID 2320 wrote to memory of 2708	2320	file1.exe	30
PID 2320 wrote to memory of 2708	2320	file1.exe	30
PID 2320 wrote to memory of 2708	2320	file1.exe	30
PID 2320 wrote to memory of 2708	2320	file1.exe	30
PID 2320 wrote to memory of 2708	2320	file1.exe	30
PID 2320 wrote to memory of 2668	2320	file1.exe	31
PID 2320 wrote to memory of 2668	2320	file1.exe	31
PID 2320 wrote to memory of 2668	2320	file1.exe	31
PID 2320 wrote to memory of 2668	2320	file1.exe	31
PID 2320 wrote to memory of 2668	2320	file1.exe	31
PID 2320 wrote to memory of 2608	2320	file1.exe	32
PID 2320 wrote to memory of 2608	2320	file1.exe	32
PID 2320 wrote to memory of 2608	2320	file1.exe	32
PID 2320 wrote to memory of 2608	2320	file1.exe	32
PID 2320 wrote to memory of 2608	2320	file1.exe	32
PID 2320 wrote to memory of 2924	2320	file1.exe	33
PID 2320 wrote to memory of 2924	2320	file1.exe	33
PID 2320 wrote to memory of 2924	2320	file1.exe	33
PID 2320 wrote to memory of 2924	2320	file1.exe	33
PID 2320 wrote to memory of 2924	2320	file1.exe	33
PID 2320 wrote to memory of 2184	2320	file1.exe	34
PID 2320 wrote to memory of 2184	2320	file1.exe	34
PID 2320 wrote to memory of 2184	2320	file1.exe	34
PID 2320 wrote to memory of 2184	2320	file1.exe	34
PID 2320 wrote to memory of 2184	2320	file1.exe	34
PID 2320 wrote to memory of 2920	2320	file1.exe	35
PID 2320 wrote to memory of 2920	2320	file1.exe	35
PID 2320 wrote to memory of 2920	2320	file1.exe	35
PID 2320 wrote to memory of 2920	2320	file1.exe	35
PID 2320 wrote to memory of 2920	2320	file1.exe	35
PID 2320 wrote to memory of 2640	2320	file1.exe	36
PID 2320 wrote to memory of 2640	2320	file1.exe	36
PID 2320 wrote to memory of 2640	2320	file1.exe	36
PID 2320 wrote to memory of 2640	2320	file1.exe	36
PID 2320 wrote to memory of 2640	2320	file1.exe	36
PID 2320 wrote to memory of 2752	2320	file1.exe	37
PID 2320 wrote to memory of 2752	2320	file1.exe	37
PID 2320 wrote to memory of 2752	2320	file1.exe	37
PID 2320 wrote to memory of 2752	2320	file1.exe	37
PID 2320 wrote to memory of 2788	2320	file1.exe	38
PID 2320 wrote to memory of 2788	2320	file1.exe	38
PID 2320 wrote to memory of 2788	2320	file1.exe	38
PID 2320 wrote to memory of 2788	2320	file1.exe	38
PID 2788 wrote to memory of 2476	2788	Rundll.exe	39
PID 2788 wrote to memory of 2476	2788	Rundll.exe	39
PID 2788 wrote to memory of 2476	2788	Rundll.exe	39
PID 2788 wrote to memory of 2476	2788	Rundll.exe	39
PID 2788 wrote to memory of 2488	2788	Rundll.exe	40
PID 2788 wrote to memory of 2488	2788	Rundll.exe	40
PID 2788 wrote to memory of 2488	2788	Rundll.exe	40
PID 2788 wrote to memory of 2488	2788	Rundll.exe	40
PID 2788 wrote to memory of 2488	2788	Rundll.exe	40
PID 2788 wrote to memory of 2508	2788	Rundll.exe	41
PID 2788 wrote to memory of 2508	2788	Rundll.exe	41
PID 2788 wrote to memory of 2508	2788	Rundll.exe	41
PID 2788 wrote to memory of 2508	2788	Rundll.exe	41

C:\Users\Admin\AppData\Local\Temp\09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09af6af8414796014eadbaf0c7e51299_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2680
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2608
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2924
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2184
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2640
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2752
- - C:\Windows\Java\Rundll.exe
    "C:\Windows\Java\Rundll.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2476
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2416
  - - C:\Windows\Java\Rundll.exe
      "C:\Windows\Java\Rundll.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:1744
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2452
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2712
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:280
    - - C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1536
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:1356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2104
      - C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2040
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1976
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1664
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        8⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:808
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1704
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        9⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:444
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        10⤵
        
        PID:1476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:384
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:900
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        11⤵
        
        PID:1004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2408
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1964
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        12⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1836
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2620
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        13⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2644
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2392
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        14⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2808
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:848
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        15⤵
        
        PID:1364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1656
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2052
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        16⤵
        
        PID:564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2936
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1152
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        17⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1776
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1512
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        18⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2784
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1156
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        19⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1248
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:844
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        20⤵
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1408
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1916
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        21⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1692
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1496
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        22⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2132
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:264
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        23⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2320
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2160
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        24⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:556
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2940
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        25⤵
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3208
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3236
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        26⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3356
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3380
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        27⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3500
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3528
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        28⤵
        
        PID:3560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3644
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3672
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        29⤵
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3796
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        29⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3820
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        30⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3944
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        31⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4084
        
        C:\Windows\Java\Rundll.exe
        
        "C:\Windows\Java\Rundll.exe"
        31⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1396
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        32⤵
        
        PID:1272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
19KB

MD5
95ea70be1128a0285da3e2fc321841cc

SHA1
a94503c497431d936cf894436ce1de59b89f1ca6

SHA256
ba3da04a5e56a5de4633f8bea7153e66f86d1c59876dc39da010f957a6548380

SHA512
53133662ed165cb6a861b347812b8d31265479af3b8fa5d0ef852ae20a949d01661a494e944d6e886135d9e8ce9cb3b1946c69bd371ecaf425bc198a745530ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tWYrF.cfg

Filesize
1KB

MD5
b3cf9905e195d987767e7a75bd745438

SHA1
60c2523b463e791634e32259aa243f5260294e28

SHA256
3f6bf0467a349b90985dd213abc7d39ed571b5ecaf67d890d51ff20c9eb516d3

SHA512
c18424a9d3c20f61b872ebcee85259f0872dc41d2112c9c37b0f6c342df951cd576bee68214fc77bc1082557ac8484f96a9a793ecc8f59beabc8540344c1244f

Download Submit
memory/264-148-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/264-144-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/844-131-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/844-126-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/848-97-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/848-103-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/900-77-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/900-72-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1152-114-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1156-120-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1156-124-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1396-194-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1496-138-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1496-143-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1512-115-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1512-119-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1536-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1536-50-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1664-60-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1704-61-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1704-66-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1744-44-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1744-39-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1916-132-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1916-137-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1964-83-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1964-82-0x00000000747B0000-0x00000000747D7000-memory.dmp

Filesize
156KB

Download
memory/1964-81-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/1964-80-0x0000000076EF0000-0x0000000076FEA000-memory.dmp

Filesize
1000KB

Download
memory/1964-79-0x0000000076DD0000-0x0000000076EEF000-memory.dmp

Filesize
1.1MB

Download
memory/2040-51-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2040-56-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2052-108-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2052-104-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2160-150-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2160-153-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2320-30-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2320-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2320-31-0x0000000075C40000-0x0000000075C44000-memory.dmp

Filesize
16KB

Download
memory/2392-96-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2392-92-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2432-0-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-2-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-15-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-1-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-11-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-4-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2620-85-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2620-91-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2788-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2788-32-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2940-155-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2940-160-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2948-71-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3236-166-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3236-162-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3380-171-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3528-176-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3672-177-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3672-182-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3820-188-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3968-189-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3968-193-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads