Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe
-
Size
224KB
-
MD5
575db21a5dc340c665e677bade789e3d
-
SHA1
b083f5c6e289f61799e2d9a1d20b84ee6b99a077
-
SHA256
006c2f9910644d6cb24c2d325a55d95f36beab9854a1d80f13091507c785e72d
-
SHA512
ab701a638ae6fc98a8429bb6b4c352c702e34c9ba709cc4d85c7cc2456987b79e604f726bdb7890999ca612a6c347c9d301a91118a73e7e5202c7e7d2ec93855
-
SSDEEP
768:gJfN8ZTmp3eVLWkaxuUl0+qn+NT+Eo+wWGQYmSs1QORV1U5Wuftxv31e+mLSERt4:gJfN8Zgl2fx5mbRtPrL91FFk
Malware Config
Extracted
xtremerat
cry1.no-ip.biz
Signatures
-
Detect XtremeRAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-2-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1340-3-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1340-4-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1340-5-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1340-16-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2816-25-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2816-28-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2624-35-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2624-39-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
kl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exe575db21a5dc340c665e677bade789e3d_JaffaCakes118.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0} kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4W3P17Q-3L6H-60S0-5VGJ-XN5PV58TU0P0}\StubPath = "C:\\Windows\\InstallDir\\kl.exe restart" kl.exe -
Executes dropped EXE 58 IoCs
Processes:
kl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exepid Process 2904 kl.exe 2816 kl.exe 2740 kl.exe 2624 kl.exe 304 kl.exe 1008 kl.exe 1656 kl.exe 1056 kl.exe 1772 kl.exe 2672 kl.exe 2168 kl.exe 2280 kl.exe 1544 kl.exe 1848 kl.exe 1092 kl.exe 2184 kl.exe 2032 kl.exe 464 kl.exe 1696 kl.exe 2548 kl.exe 2920 kl.exe 2852 kl.exe 596 kl.exe 1104 kl.exe 2112 kl.exe 308 kl.exe 1912 kl.exe 1672 kl.exe 1360 kl.exe 2932 kl.exe 2484 kl.exe 2100 kl.exe 2000 kl.exe 1528 kl.exe 952 kl.exe 1760 kl.exe 860 kl.exe 1524 kl.exe 2680 kl.exe 2656 kl.exe 1772 kl.exe 1892 kl.exe 1524 kl.exe 2680 kl.exe 1264 kl.exe 1696 kl.exe 1044 kl.exe 1524 kl.exe 3132 kl.exe 3152 kl.exe 3272 kl.exe 3288 kl.exe 3404 kl.exe 3420 kl.exe 3532 kl.exe 3552 kl.exe 3668 kl.exe 3688 kl.exe -
Loads dropped DLL 2 IoCs
Processes:
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exepid Process 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 30 IoCs
Processes:
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exedescription pid Process procid_target PID 2484 set thread context of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2904 set thread context of 2816 2904 kl.exe 41 PID 2740 set thread context of 2624 2740 kl.exe 51 PID 304 set thread context of 1008 304 kl.exe 61 PID 1656 set thread context of 1056 1656 kl.exe 71 PID 1772 set thread context of 2672 1772 kl.exe 81 PID 2168 set thread context of 2280 2168 kl.exe 91 PID 1544 set thread context of 1848 1544 kl.exe 101 PID 1092 set thread context of 2184 1092 kl.exe 111 PID 2032 set thread context of 464 2032 kl.exe 121 PID 1696 set thread context of 2548 1696 kl.exe 131 PID 2920 set thread context of 2852 2920 kl.exe 141 PID 596 set thread context of 1104 596 kl.exe 151 PID 2112 set thread context of 308 2112 kl.exe 161 PID 1912 set thread context of 1672 1912 kl.exe 171 PID 1360 set thread context of 2932 1360 kl.exe 181 PID 2484 set thread context of 2100 2484 kl.exe 191 PID 2000 set thread context of 1528 2000 kl.exe 201 PID 952 set thread context of 1760 952 kl.exe 211 PID 860 set thread context of 1524 860 kl.exe 221 PID 2680 set thread context of 2656 2680 kl.exe 231 PID 1772 set thread context of 1892 1772 kl.exe 241 PID 1524 set thread context of 2680 1524 kl.exe 251 PID 1264 set thread context of 1696 1264 kl.exe 261 PID 1044 set thread context of 1524 1044 kl.exe 271 PID 3132 set thread context of 3152 3132 kl.exe 281 PID 3272 set thread context of 3288 3272 kl.exe 291 PID 3404 set thread context of 3420 3404 kl.exe 301 PID 3532 set thread context of 3552 3532 kl.exe 311 PID 3668 set thread context of 3688 3668 kl.exe 321 -
Drops file in Windows directory 2 IoCs
Processes:
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\InstallDir\kl.exe 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe File created C:\Windows\InstallDir\kl.exe 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exekl.exepid Process 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 2904 kl.exe 2740 kl.exe 304 kl.exe 1656 kl.exe 1772 kl.exe 2168 kl.exe 1544 kl.exe 1092 kl.exe 2032 kl.exe 1696 kl.exe 2920 kl.exe 596 kl.exe 2112 kl.exe 1912 kl.exe 1360 kl.exe 2484 kl.exe 2000 kl.exe 952 kl.exe 860 kl.exe 2680 kl.exe 1772 kl.exe 1524 kl.exe 1264 kl.exe 1044 kl.exe 3132 kl.exe 3272 kl.exe 3404 kl.exe 3532 kl.exe 3668 kl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe575db21a5dc340c665e677bade789e3d_JaffaCakes118.exekl.exedescription pid Process procid_target PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 2484 wrote to memory of 1340 2484 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 30 PID 1340 wrote to memory of 1624 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 31 PID 1340 wrote to memory of 1624 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 31 PID 1340 wrote to memory of 1624 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 31 PID 1340 wrote to memory of 1624 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 31 PID 1340 wrote to memory of 1624 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 31 PID 1340 wrote to memory of 2092 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 32 PID 1340 wrote to memory of 2092 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 32 PID 1340 wrote to memory of 2092 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 32 PID 1340 wrote to memory of 2092 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 32 PID 1340 wrote to memory of 2092 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 32 PID 1340 wrote to memory of 2248 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 33 PID 1340 wrote to memory of 2248 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 33 PID 1340 wrote to memory of 2248 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 33 PID 1340 wrote to memory of 2248 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 33 PID 1340 wrote to memory of 2248 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 33 PID 1340 wrote to memory of 1884 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 34 PID 1340 wrote to memory of 1884 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 34 PID 1340 wrote to memory of 1884 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 34 PID 1340 wrote to memory of 1884 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 34 PID 1340 wrote to memory of 1884 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 34 PID 1340 wrote to memory of 2304 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 35 PID 1340 wrote to memory of 2304 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 35 PID 1340 wrote to memory of 2304 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 35 PID 1340 wrote to memory of 2304 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 35 PID 1340 wrote to memory of 2304 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 35 PID 1340 wrote to memory of 2292 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 36 PID 1340 wrote to memory of 2292 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 36 PID 1340 wrote to memory of 2292 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 36 PID 1340 wrote to memory of 2292 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 36 PID 1340 wrote to memory of 2292 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 36 PID 1340 wrote to memory of 628 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 37 PID 1340 wrote to memory of 628 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 37 PID 1340 wrote to memory of 628 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 37 PID 1340 wrote to memory of 628 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 37 PID 1340 wrote to memory of 628 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 37 PID 1340 wrote to memory of 568 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 38 PID 1340 wrote to memory of 568 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 38 PID 1340 wrote to memory of 568 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 38 PID 1340 wrote to memory of 568 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 38 PID 1340 wrote to memory of 2904 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 39 PID 1340 wrote to memory of 2904 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 39 PID 1340 wrote to memory of 2904 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 39 PID 1340 wrote to memory of 2904 1340 575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe 39 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41 PID 2904 wrote to memory of 2816 2904 kl.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\575db21a5dc340c665e677bade789e3d_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2292
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:568
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2816 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:3028
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2624 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:660
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:304 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1008 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1996
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1056 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1604
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2256
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2280 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1368
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1848 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1512
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1092 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2184 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2060
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2032 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"20⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:464 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1688
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"22⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2548 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:3068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:3024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2760
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"24⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2852 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2832
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:596 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1032
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"28⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:308 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2148
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2448
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"32⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2932 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2120
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:808
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"34⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1492
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"36⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1528 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:3040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:3044
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:952 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"38⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1760 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2432
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2316
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"40⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1524 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1096
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2512
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"42⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2096
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2988
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"44⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1892 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1360
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"46⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2680 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:2444
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1264 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"48⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:1476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:1264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:1288
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"50⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1524 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:1356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3120
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"52⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3152 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3256
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"54⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3288 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3388
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3404 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"56⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3420 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3520
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"58⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3552 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3656
-
-
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Windows\InstallDir\kl.exe"C:\Windows\InstallDir\kl.exe"60⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb05d79a7873df664af7b26975f6fc4d
SHA1be1140d890d7e73d84415a3dea96904f276a0d50
SHA256651cab24968ddc71e78314488c06d0963d499b8f8241e91122423cedd4c60277
SHA512c946f023f28cb0d51934714a86974e9f5b9c406492b60dd73c8bdc9186fd490ceabb7fb73fb0510a95b06ce6574bc5ab5a563a88ecb5342bad3a654b1606588e
-
Filesize
224KB
MD5575db21a5dc340c665e677bade789e3d
SHA1b083f5c6e289f61799e2d9a1d20b84ee6b99a077
SHA256006c2f9910644d6cb24c2d325a55d95f36beab9854a1d80f13091507c785e72d
SHA512ab701a638ae6fc98a8429bb6b4c352c702e34c9ba709cc4d85c7cc2456987b79e604f726bdb7890999ca612a6c347c9d301a91118a73e7e5202c7e7d2ec93855