9e168a8a36d60c0210e0c5aa0e1d0ae53014c078f98b10a4d40948702e3bc931

General

Target

366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
Size

101KB
MD5

366537b87b21452cfbb8b18d317bb423
SHA1

2697a80c631f0171726206fb0e4ddaf9c4ea1a0e
SHA256

9e168a8a36d60c0210e0c5aa0e1d0ae53014c078f98b10a4d40948702e3bc931
SHA512

11300fc8ef49e42d762b50b0c5cbfc83d0abc26e318c5e177ef1506794f941d45a9d5f56f7f3a86abd273a6c712cc9c7564a65c29e624bcbce22937c5a7a81b0
SSDEEP

3072:UHNFe+yARnRD68wbbeDL4/mdXtqbBaYY/:UHNo+yARRD68w+X4/8Xt+Bxs

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	iexplorer-.exe

Executes dropped EXE 64 IoCs

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

pid	process
2060	iexplorer-.exe
4004	iexplorer-.exe
264	iexplorer-.exe
228	iexplorer-.exe
3040	iexplorer-.exe
5028	iexplorer-.exe
1236	iexplorer-.exe
1860	iexplorer-.exe
1948	iexplorer-.exe
2668	iexplorer-.exe
5116	iexplorer-.exe
1952	iexplorer-.exe
3620	iexplorer-.exe
2704	iexplorer-.exe
3224	iexplorer-.exe
4404	iexplorer-.exe
3644	iexplorer-.exe
2648	iexplorer-.exe
1048	iexplorer-.exe
4508	iexplorer-.exe
2444	iexplorer-.exe
1552	iexplorer-.exe
4596	iexplorer-.exe
3456	iexplorer-.exe
848	iexplorer-.exe
4192	iexplorer-.exe
1652	iexplorer-.exe
3664	iexplorer-.exe
4992	iexplorer-.exe
3844	iexplorer-.exe
3212	iexplorer-.exe
3124	iexplorer-.exe
4724	iexplorer-.exe
4444	iexplorer-.exe
3500	iexplorer-.exe
3912	iexplorer-.exe
4868	iexplorer-.exe
5136	iexplorer-.exe
5184	iexplorer-.exe
5232	iexplorer-.exe
5300	iexplorer-.exe
5348	iexplorer-.exe
5396	iexplorer-.exe
5448	iexplorer-.exe
5496	iexplorer-.exe
5548	iexplorer-.exe
5596	iexplorer-.exe
5648	iexplorer-.exe
5696	iexplorer-.exe
5748	iexplorer-.exe
5796	iexplorer-.exe
5844	iexplorer-.exe
5896	iexplorer-.exe
5944	iexplorer-.exe
5996	iexplorer-.exe
6044	iexplorer-.exe
6096	iexplorer-.exe
5148	iexplorer-.exe
5556	iexplorer-.exe
5892	iexplorer-.exe
6164	iexplorer-.exe
6220	iexplorer-.exe
6268	iexplorer-.exe
6316	iexplorer-.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer- = "C:\\Windows\\system32\\iexplorer-.exe"	iexplorer-.exe

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Asynchronous = "0"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Unlock = "WLEvtUnlock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\DllName = "iexplorer-.dll"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Unlock = "WLEvtUnlock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Unlock = "WLEvtUnlock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\DllName = "iexplorer-.dll"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StartScreenSaver = "WLEvtStartScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Unlock = "WLEvtUnlock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Unlock = "WLEvtUnlock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Asynchronous = "0"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StartScreenSaver = "WLEvtStartScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\StopScreenSaver = "WLEvtStopScreenSaver"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Startup = "WLEvtStartup"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Logon = "WLEvtLogon"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Shutdown = "WLEvtShutdown"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\DllName = "iexplorer-.dll"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Impersonate = "0"	iexplorer-.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplorer-\Lock = "WLEvtLock"	iexplorer-.exe

Drops file in System32 directory 64 IoCs

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	ioc	process
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File opened for modification	C:\Windows\SysWOW64\iexplorer-.exe	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File opened for modification	C:\Windows\SysWOW64\iexplorer-.dll	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.dll	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe
File created	C:\Windows\SysWOW64\iexplorer-.exe	iexplorer-.exe

Drops file in Windows directory 1 IoCs

Processes:

366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe

Modifies registry class 64 IoCs

Processes:

iexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iexplorer-.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exeiexplorer-.exe

description	pid	process	target process
PID 5072 wrote to memory of 2060	5072	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe	iexplorer-.exe
PID 5072 wrote to memory of 2060	5072	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe	iexplorer-.exe
PID 5072 wrote to memory of 2060	5072	366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe	iexplorer-.exe
PID 2060 wrote to memory of 4004	2060	iexplorer-.exe	iexplorer-.exe
PID 2060 wrote to memory of 4004	2060	iexplorer-.exe	iexplorer-.exe
PID 2060 wrote to memory of 4004	2060	iexplorer-.exe	iexplorer-.exe
PID 4004 wrote to memory of 264	4004	iexplorer-.exe	iexplorer-.exe
PID 4004 wrote to memory of 264	4004	iexplorer-.exe	iexplorer-.exe
PID 4004 wrote to memory of 264	4004	iexplorer-.exe	iexplorer-.exe
PID 264 wrote to memory of 228	264	iexplorer-.exe	iexplorer-.exe
PID 264 wrote to memory of 228	264	iexplorer-.exe	iexplorer-.exe
PID 264 wrote to memory of 228	264	iexplorer-.exe	iexplorer-.exe
PID 228 wrote to memory of 3040	228	iexplorer-.exe	iexplorer-.exe
PID 228 wrote to memory of 3040	228	iexplorer-.exe	iexplorer-.exe
PID 228 wrote to memory of 3040	228	iexplorer-.exe	iexplorer-.exe
PID 3040 wrote to memory of 5028	3040	iexplorer-.exe	iexplorer-.exe
PID 3040 wrote to memory of 5028	3040	iexplorer-.exe	iexplorer-.exe
PID 3040 wrote to memory of 5028	3040	iexplorer-.exe	iexplorer-.exe
PID 5028 wrote to memory of 1236	5028	iexplorer-.exe	iexplorer-.exe
PID 5028 wrote to memory of 1236	5028	iexplorer-.exe	iexplorer-.exe
PID 5028 wrote to memory of 1236	5028	iexplorer-.exe	iexplorer-.exe
PID 1236 wrote to memory of 1860	1236	iexplorer-.exe	iexplorer-.exe
PID 1236 wrote to memory of 1860	1236	iexplorer-.exe	iexplorer-.exe
PID 1236 wrote to memory of 1860	1236	iexplorer-.exe	iexplorer-.exe
PID 1860 wrote to memory of 1948	1860	iexplorer-.exe	iexplorer-.exe
PID 1860 wrote to memory of 1948	1860	iexplorer-.exe	iexplorer-.exe
PID 1860 wrote to memory of 1948	1860	iexplorer-.exe	iexplorer-.exe
PID 1948 wrote to memory of 2668	1948	iexplorer-.exe	iexplorer-.exe
PID 1948 wrote to memory of 2668	1948	iexplorer-.exe	iexplorer-.exe
PID 1948 wrote to memory of 2668	1948	iexplorer-.exe	iexplorer-.exe
PID 2668 wrote to memory of 5116	2668	iexplorer-.exe	iexplorer-.exe
PID 2668 wrote to memory of 5116	2668	iexplorer-.exe	iexplorer-.exe
PID 2668 wrote to memory of 5116	2668	iexplorer-.exe	iexplorer-.exe
PID 5116 wrote to memory of 1952	5116	iexplorer-.exe	iexplorer-.exe
PID 5116 wrote to memory of 1952	5116	iexplorer-.exe	iexplorer-.exe
PID 5116 wrote to memory of 1952	5116	iexplorer-.exe	iexplorer-.exe
PID 1952 wrote to memory of 3620	1952	iexplorer-.exe	iexplorer-.exe
PID 1952 wrote to memory of 3620	1952	iexplorer-.exe	iexplorer-.exe
PID 1952 wrote to memory of 3620	1952	iexplorer-.exe	iexplorer-.exe
PID 3620 wrote to memory of 2704	3620	iexplorer-.exe	iexplorer-.exe
PID 3620 wrote to memory of 2704	3620	iexplorer-.exe	iexplorer-.exe
PID 3620 wrote to memory of 2704	3620	iexplorer-.exe	iexplorer-.exe
PID 2704 wrote to memory of 3224	2704	iexplorer-.exe	iexplorer-.exe
PID 2704 wrote to memory of 3224	2704	iexplorer-.exe	iexplorer-.exe
PID 2704 wrote to memory of 3224	2704	iexplorer-.exe	iexplorer-.exe
PID 3224 wrote to memory of 4404	3224	iexplorer-.exe	iexplorer-.exe
PID 3224 wrote to memory of 4404	3224	iexplorer-.exe	iexplorer-.exe
PID 3224 wrote to memory of 4404	3224	iexplorer-.exe	iexplorer-.exe
PID 4404 wrote to memory of 3644	4404	iexplorer-.exe	iexplorer-.exe
PID 4404 wrote to memory of 3644	4404	iexplorer-.exe	iexplorer-.exe
PID 4404 wrote to memory of 3644	4404	iexplorer-.exe	iexplorer-.exe
PID 3644 wrote to memory of 2648	3644	iexplorer-.exe	iexplorer-.exe
PID 3644 wrote to memory of 2648	3644	iexplorer-.exe	iexplorer-.exe
PID 3644 wrote to memory of 2648	3644	iexplorer-.exe	iexplorer-.exe
PID 2648 wrote to memory of 1048	2648	iexplorer-.exe	iexplorer-.exe
PID 2648 wrote to memory of 1048	2648	iexplorer-.exe	iexplorer-.exe
PID 2648 wrote to memory of 1048	2648	iexplorer-.exe	iexplorer-.exe
PID 1048 wrote to memory of 4508	1048	iexplorer-.exe	iexplorer-.exe
PID 1048 wrote to memory of 4508	1048	iexplorer-.exe	iexplorer-.exe
PID 1048 wrote to memory of 4508	1048	iexplorer-.exe	iexplorer-.exe
PID 4508 wrote to memory of 2444	4508	iexplorer-.exe	iexplorer-.exe
PID 4508 wrote to memory of 2444	4508	iexplorer-.exe	iexplorer-.exe
PID 4508 wrote to memory of 2444	4508	iexplorer-.exe	iexplorer-.exe
PID 2444 wrote to memory of 1552	2444	iexplorer-.exe	iexplorer-.exe

C:\Users\Admin\AppData\Local\Temp\366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\366537b87b21452cfbb8b18d317bb423_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:264

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
PID:1552

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4596

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3456

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:848

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
27⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4192

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1652

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
29⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3664

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
30⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4992

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
31⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:3844

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:3212

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
33⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3124

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4724

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
35⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4444

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:3500

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
37⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:3912

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
38⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4868

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
39⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:5136

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5184

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
41⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5232

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5300

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
43⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5348

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
44⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5396

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
45⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5448

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5496

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
47⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:5548

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5596

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
49⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5648

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
50⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5696

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
51⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5748

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5796

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
53⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5844

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5896

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
55⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
PID:5944

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5996

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
57⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6044

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
58⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6096

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
59⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5148

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5556

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5892

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
62⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6164

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
63⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6220

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6268

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
65⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:6316

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
66⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:6364

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
67⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6528

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
68⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6576

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
69⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:6628

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
70⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:6676

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
71⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:6720

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
72⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
PID:6768

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
73⤵
PID:6816

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
74⤵
PID:6864

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
75⤵
PID:6908

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
76⤵
PID:6960

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
77⤵
PID:7008

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
78⤵
PID:7052

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
79⤵
PID:7112

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
80⤵
PID:7156

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
81⤵
PID:6384

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
82⤵
PID:6360

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
83⤵
PID:4484

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
84⤵
PID:6436

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
85⤵
PID:4460

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
86⤵
PID:7192

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
87⤵
PID:7236

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
88⤵
PID:7280

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
89⤵
PID:7332

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
90⤵
PID:7388

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
91⤵
PID:7432

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
92⤵
PID:7480

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
93⤵
PID:7524

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
94⤵
PID:7568

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
95⤵
PID:7616

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
96⤵
PID:7660

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
97⤵
PID:7704

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
98⤵
PID:7752

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
99⤵
PID:7800

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
100⤵
PID:7844

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
101⤵
PID:7888

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
102⤵
PID:7936

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
103⤵
PID:7980

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
104⤵
PID:8024

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
105⤵
PID:8120

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
106⤵
PID:8188

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
107⤵
PID:2540

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
108⤵
PID:8200

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
109⤵
PID:8248

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
110⤵
PID:8316

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
111⤵
PID:8360

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
112⤵
PID:8408

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
113⤵
PID:8452

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
114⤵
PID:8500

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
115⤵
PID:8592

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
116⤵
PID:8652

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
117⤵
PID:8704

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
118⤵
PID:8748

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
119⤵
PID:8796

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
120⤵
PID:8840

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
121⤵
PID:8888

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
122⤵
PID:8932

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
123⤵
PID:8976

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
124⤵
PID:9024

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
125⤵
PID:9068

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
126⤵
PID:9112

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
127⤵
PID:9160

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
128⤵
PID:9204

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
129⤵
PID:932

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
130⤵
PID:8092

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
131⤵
PID:8404

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
132⤵
PID:5392

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
133⤵
PID:2660

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
134⤵
PID:9248

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
135⤵
PID:9292

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
136⤵
PID:9340

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
137⤵
PID:9388

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
138⤵
PID:9432

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
139⤵
PID:9476

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
140⤵
PID:9528

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
141⤵
PID:9576

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
142⤵
PID:9620

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
143⤵
PID:9668

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
144⤵
PID:9716

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
145⤵
PID:9760

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
146⤵
PID:9804

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
147⤵
PID:9856

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
148⤵
PID:9900

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
149⤵
PID:9948

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
150⤵
PID:9996

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
151⤵
PID:10044

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
152⤵
PID:10088

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
153⤵
PID:10136

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
154⤵
PID:10188

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
155⤵
PID:4728

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
156⤵
PID:4716

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
157⤵
PID:9684

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
158⤵
PID:6420

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
159⤵
PID:2912

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
160⤵
PID:4536

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
161⤵
PID:3176

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
162⤵
PID:10284

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
163⤵
PID:10332

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
164⤵
PID:10384

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
165⤵
PID:10432

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
166⤵
PID:10480

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
167⤵
PID:10532

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
168⤵
PID:10580

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
169⤵
PID:10624

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
170⤵
PID:10680

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
171⤵
PID:10732

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
172⤵
PID:10780

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
173⤵
PID:10828

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
174⤵
PID:10876

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
175⤵
PID:10928

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
176⤵
PID:10976

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
177⤵
PID:11028

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
178⤵
PID:11076

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
179⤵
PID:11124

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
180⤵
PID:11172

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
181⤵
PID:11224

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
182⤵
PID:7152

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
183⤵
PID:2276

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
184⤵
PID:3300

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
185⤵
PID:7428

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
186⤵
PID:7564

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
187⤵
PID:224

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
188⤵
PID:1264

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
189⤵
PID:7976

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
190⤵
PID:4236

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
191⤵
PID:8240

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
192⤵
PID:11304

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
193⤵
PID:11348

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
194⤵
PID:11400

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
195⤵
PID:11456

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
196⤵
PID:11500

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
197⤵
PID:11552

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
198⤵
PID:11600

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
199⤵
PID:11648

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
200⤵
PID:11692

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
201⤵
PID:11744

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
202⤵
PID:11792

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
203⤵
PID:11844

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
204⤵
PID:11900

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
205⤵
PID:11952

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
206⤵
PID:12000

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
207⤵
PID:12044

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
208⤵
PID:12096

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
209⤵
PID:12144

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
210⤵
PID:12192

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
211⤵
PID:12244

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
212⤵
PID:3288

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
213⤵
PID:4528

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
214⤵
PID:1820

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
215⤵
PID:11396

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
216⤵
PID:5252

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
217⤵
PID:5416

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
218⤵
PID:9152

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
219⤵
PID:2812

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
220⤵
PID:5864

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
221⤵
PID:9288

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
222⤵
PID:9384

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
223⤵
PID:9516

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
224⤵
PID:2308

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
225⤵
PID:1848

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
226⤵
PID:9800

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
227⤵
PID:12320

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
228⤵
PID:12368

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
229⤵
PID:12420

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
230⤵
PID:12480

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
231⤵
PID:12528

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
232⤵
PID:12572

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
233⤵
PID:12624

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
234⤵
PID:12684

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
235⤵
PID:12736

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
236⤵
PID:12788

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
237⤵
PID:12840

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
238⤵
PID:12892

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
239⤵
PID:12944

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
240⤵
PID:12996

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
241⤵
PID:13044

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
242⤵
PID:13096

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
243⤵
PID:13148

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
244⤵
PID:13196

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
245⤵
PID:13248

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
246⤵
PID:13296

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
247⤵
PID:9896

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
248⤵
PID:6692

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
249⤵
PID:10176

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
250⤵
PID:6036

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
251⤵
PID:7020

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
252⤵
PID:7128

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
253⤵
PID:6648

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
254⤵
PID:6564

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
255⤵
PID:7248

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
256⤵
PID:10724

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
257⤵
PID:10872

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
258⤵
PID:11020

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
259⤵
PID:7768

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
260⤵
PID:7904

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
261⤵
PID:13348

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
262⤵
PID:13396

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
263⤵
PID:13444

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
264⤵
PID:13500

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
265⤵
PID:13548

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
266⤵
PID:13596

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
267⤵
PID:13656

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
268⤵
PID:13708

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
269⤵
PID:13772

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
270⤵
PID:13820

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
271⤵
PID:13872

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
272⤵
PID:13924

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
273⤵
PID:13976

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
274⤵
PID:14024

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
275⤵
PID:14076

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
276⤵
PID:14124

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
277⤵
PID:14172

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
278⤵
PID:14224

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
279⤵
PID:14276

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
280⤵
PID:14324

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
281⤵
PID:7224

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
282⤵
PID:4364

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
283⤵
PID:7464

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
284⤵
PID:8516

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
285⤵
PID:8720

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
286⤵
PID:8808

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
287⤵
PID:8992

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
288⤵
PID:8244

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
289⤵
PID:8356

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
290⤵
PID:8676

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
291⤵
PID:8828

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
292⤵
PID:9492

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
293⤵
PID:724

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
294⤵
PID:14348

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
295⤵
PID:14408

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
296⤵
PID:14468

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
297⤵
PID:14520

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
298⤵
PID:14572

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
299⤵
PID:14624

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
300⤵
PID:14680

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
301⤵
PID:14736

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
302⤵
PID:14788

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
303⤵
PID:14844

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
304⤵
PID:14892

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
305⤵
PID:14944

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
306⤵
PID:14992

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
307⤵
PID:15040

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
308⤵
PID:15092

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
309⤵
PID:15140

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
310⤵
PID:15192

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
311⤵
PID:15240

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
312⤵
PID:15288

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
313⤵
PID:15336

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
314⤵
PID:5508

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
315⤵
PID:6476

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
316⤵
PID:4476

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
317⤵
PID:3284

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
318⤵
PID:10148

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
319⤵
PID:9324

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
320⤵
PID:9376

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
321⤵
PID:3180

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
322⤵
PID:1520

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
323⤵
PID:13036

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
324⤵
PID:10496

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
325⤵
PID:10036

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
326⤵
PID:10748

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
327⤵
PID:10888

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
328⤵
PID:4020

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
329⤵
PID:13140

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
330⤵
PID:868

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
331⤵
PID:3608

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
332⤵
PID:4308

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
333⤵
PID:11272

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
334⤵
PID:15380

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
335⤵
PID:15432

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
336⤵
PID:15480

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
337⤵
PID:15528

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
338⤵
PID:15584

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
339⤵
PID:15632

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
340⤵
PID:15680

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
341⤵
PID:15732

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
342⤵
PID:15780

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
343⤵
PID:15832

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
344⤵
PID:15888

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
345⤵
PID:15940

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
346⤵
PID:15988

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
347⤵
PID:16040

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
348⤵
PID:16092

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
349⤵
PID:16136

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
350⤵
PID:16184

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
351⤵
PID:16240

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
352⤵
PID:16288

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
353⤵
PID:16340

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
354⤵
PID:11360

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
355⤵
PID:11472

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
356⤵
PID:11564

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
357⤵
PID:13968

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
358⤵
PID:4016

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
359⤵
PID:11916

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
360⤵
PID:14268

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
361⤵
PID:2044

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
362⤵
PID:8400

C:\Windows\SysWOW64\iexplorer-.exe
"C:\Windows\system32\iexplorer-.exe"
363⤵
PID:8696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\iexplorer-.exe

Filesize
39KB

MD5
f1383a03e51aff22ac466f3a9c67027f

SHA1
979825ea8423a8b82cfcb6078f58d0d9aef31d18

SHA256
7a4c272ffbb2e0482edbda182b766ac3253e2ce2368643046b08a9df629a31ec

SHA512
94efedb463131c7e077536fde3f51ca6471d53bc26e775dbcec37f03d5123ae39d190432ba349ca1e96e6d1b64a71f89c27ee6f04b0173ae43ea9d83eac92faf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads