d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
Size

681KB
MD5

5f2d2cdf37767260b91be36d179da558
SHA1

eb27613c41ae8ebc5eeb676744c9b97dfefb6d94
SHA256

d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435
SHA512

02c0e6f50e15ac803e1e4334a27a8c2e00c2578effcc7f69178d78c65d2060726adc40152745fc1d3dbb0123c58477372a183eeb6ecf3707ea9969267ba05ddd
SSDEEP

12288:a9OkrDWvazofhAe+hK8assCtzATVSw90c1kOY:2DdEAe2taNEz050c1G

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2844	sysbin.exe
2696	sysbin.exe
2764	sysbin.exe
2616	sysbin.exe
2580	sysbin.exe
2240	sysbin.exe
988	sysbin.exe
2288	sysbin.exe
1452	sysbin.exe
1020	sysbin.exe
2980	sysbin.exe
1232	sysbin.exe
1168	sysbin.exe
2808	sysbin.exe
2264	sysbin.exe
592	sysbin.exe
1208	sysbin.exe
2412	sysbin.exe
2400	sysbin.exe
2476	sysbin.exe
268	sysbin.exe
308	sysbin.exe
1136	sysbin.exe
1692	sysbin.exe
1084	sysbin.exe
2456	sysbin.exe
984	sysbin.exe
3048	sysbin.exe
1072	sysbin.exe
1420	sysbin.exe
1492	sysbin.exe
896	sysbin.exe
2304	sysbin.exe
2640	sysbin.exe
2056	sysbin.exe
2132	sysbin.exe
2212	sysbin.exe
1608	sysbin.exe
2104	sysbin.exe
880	sysbin.exe
2328	sysbin.exe
1640	sysbin.exe
2848	sysbin.exe
1708	sysbin.exe
2692	sysbin.exe
2724	sysbin.exe
2696	sysbin.exe
2676	sysbin.exe
2700	sysbin.exe
2572	sysbin.exe
2460	sysbin.exe
1360	sysbin.exe
2240	sysbin.exe
2036	sysbin.exe
2600	sysbin.exe
2012	sysbin.exe
2424	sysbin.exe
2996	sysbin.exe
1884	sysbin.exe
2756	sysbin.exe
2924	sysbin.exe
2932	sysbin.exe
1140	sysbin.exe
1908	sysbin.exe

Loads dropped DLL 64 IoCs

pid	Process
1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
2844	sysbin.exe
2844	sysbin.exe
2696	sysbin.exe
2696	sysbin.exe
2764	sysbin.exe
2764	sysbin.exe
2616	sysbin.exe
2616	sysbin.exe
2580	sysbin.exe
2580	sysbin.exe
2240	sysbin.exe
2240	sysbin.exe
988	sysbin.exe
988	sysbin.exe
2288	sysbin.exe
2288	sysbin.exe
1452	sysbin.exe
1452	sysbin.exe
1020	sysbin.exe
1020	sysbin.exe
2980	sysbin.exe
2980	sysbin.exe
1232	sysbin.exe
1232	sysbin.exe
1168	sysbin.exe
1168	sysbin.exe
2808	sysbin.exe
2808	sysbin.exe
2264	sysbin.exe
2264	sysbin.exe
592	sysbin.exe
592	sysbin.exe
1208	sysbin.exe
1208	sysbin.exe
2412	sysbin.exe
2412	sysbin.exe
2400	sysbin.exe
2400	sysbin.exe
2476	sysbin.exe
2476	sysbin.exe
268	sysbin.exe
268	sysbin.exe
308	sysbin.exe
308	sysbin.exe
1136	sysbin.exe
1136	sysbin.exe
1692	sysbin.exe
1692	sysbin.exe
1084	sysbin.exe
1084	sysbin.exe
2456	sysbin.exe
2456	sysbin.exe
984	sysbin.exe
984	sysbin.exe
3048	sysbin.exe
3048	sysbin.exe
1072	sysbin.exe
1072	sysbin.exe
1420	sysbin.exe
1420	sysbin.exe
1492	sysbin.exe
1492	sysbin.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\systemdllxpc.vxd	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2844	1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2844	1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2844	1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2844	1708	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2696	2844	sysbin.exe	31
PID 2844 wrote to memory of 2696	2844	sysbin.exe	31
PID 2844 wrote to memory of 2696	2844	sysbin.exe	31
PID 2844 wrote to memory of 2696	2844	sysbin.exe	31
PID 2696 wrote to memory of 2764	2696	sysbin.exe	32
PID 2696 wrote to memory of 2764	2696	sysbin.exe	32
PID 2696 wrote to memory of 2764	2696	sysbin.exe	32
PID 2696 wrote to memory of 2764	2696	sysbin.exe	32
PID 2764 wrote to memory of 2616	2764	sysbin.exe	33
PID 2764 wrote to memory of 2616	2764	sysbin.exe	33
PID 2764 wrote to memory of 2616	2764	sysbin.exe	33
PID 2764 wrote to memory of 2616	2764	sysbin.exe	33
PID 2616 wrote to memory of 2580	2616	sysbin.exe	34
PID 2616 wrote to memory of 2580	2616	sysbin.exe	34
PID 2616 wrote to memory of 2580	2616	sysbin.exe	34
PID 2616 wrote to memory of 2580	2616	sysbin.exe	34
PID 2580 wrote to memory of 2240	2580	sysbin.exe	35
PID 2580 wrote to memory of 2240	2580	sysbin.exe	35
PID 2580 wrote to memory of 2240	2580	sysbin.exe	35
PID 2580 wrote to memory of 2240	2580	sysbin.exe	35
PID 2240 wrote to memory of 988	2240	sysbin.exe	36
PID 2240 wrote to memory of 988	2240	sysbin.exe	36
PID 2240 wrote to memory of 988	2240	sysbin.exe	36
PID 2240 wrote to memory of 988	2240	sysbin.exe	36
PID 988 wrote to memory of 2288	988	sysbin.exe	37
PID 988 wrote to memory of 2288	988	sysbin.exe	37
PID 988 wrote to memory of 2288	988	sysbin.exe	37
PID 988 wrote to memory of 2288	988	sysbin.exe	37
PID 2288 wrote to memory of 1452	2288	sysbin.exe	38
PID 2288 wrote to memory of 1452	2288	sysbin.exe	38
PID 2288 wrote to memory of 1452	2288	sysbin.exe	38
PID 2288 wrote to memory of 1452	2288	sysbin.exe	38
PID 1452 wrote to memory of 1020	1452	sysbin.exe	39
PID 1452 wrote to memory of 1020	1452	sysbin.exe	39
PID 1452 wrote to memory of 1020	1452	sysbin.exe	39
PID 1452 wrote to memory of 1020	1452	sysbin.exe	39
PID 1020 wrote to memory of 2980	1020	sysbin.exe	40
PID 1020 wrote to memory of 2980	1020	sysbin.exe	40
PID 1020 wrote to memory of 2980	1020	sysbin.exe	40
PID 1020 wrote to memory of 2980	1020	sysbin.exe	40
PID 2980 wrote to memory of 1232	2980	sysbin.exe	41
PID 2980 wrote to memory of 1232	2980	sysbin.exe	41
PID 2980 wrote to memory of 1232	2980	sysbin.exe	41
PID 2980 wrote to memory of 1232	2980	sysbin.exe	41
PID 1232 wrote to memory of 1168	1232	sysbin.exe	42
PID 1232 wrote to memory of 1168	1232	sysbin.exe	42
PID 1232 wrote to memory of 1168	1232	sysbin.exe	42
PID 1232 wrote to memory of 1168	1232	sysbin.exe	42
PID 1168 wrote to memory of 2808	1168	sysbin.exe	43
PID 1168 wrote to memory of 2808	1168	sysbin.exe	43
PID 1168 wrote to memory of 2808	1168	sysbin.exe	43
PID 1168 wrote to memory of 2808	1168	sysbin.exe	43
PID 2808 wrote to memory of 2264	2808	sysbin.exe	44
PID 2808 wrote to memory of 2264	2808	sysbin.exe	44
PID 2808 wrote to memory of 2264	2808	sysbin.exe	44
PID 2808 wrote to memory of 2264	2808	sysbin.exe	44
PID 2264 wrote to memory of 592	2264	sysbin.exe	45
PID 2264 wrote to memory of 592	2264	sysbin.exe	45
PID 2264 wrote to memory of 592	2264	sysbin.exe	45
PID 2264 wrote to memory of 592	2264	sysbin.exe	45

C:\Users\Admin\AppData\Local\Temp\5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\sysbin.exe
  "C:\Windows\system32\sysbin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\sysbin.exe
    "C:\Windows\system32\sysbin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\sysbin.exe
      "C:\Windows\system32\sysbin.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:592
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1208
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2400
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2476
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:268
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:308
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1136
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1084
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2456
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3048
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        33⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        34⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        35⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        36⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        37⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        38⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        39⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2104
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        41⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        42⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        45⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        46⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        48⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        49⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        50⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        51⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        53⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        54⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        55⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        56⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        58⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        59⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        60⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2756
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        63⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        64⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        65⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        66⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        67⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        68⤵
        Adds Run key to start application
        
        PID:1100
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        70⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        71⤵
        Adds Run key to start application
        
        PID:320
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        72⤵
        Adds Run key to start application
        
        PID:1672
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        73⤵
        Adds Run key to start application
        
        PID:2484
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        74⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        75⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        76⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        77⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        78⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        79⤵
        
        PID:276
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        80⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        81⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        82⤵
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        84⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        85⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        86⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        87⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        89⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        90⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        92⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        93⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        94⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        95⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        96⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        97⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        98⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        100⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        101⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        102⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        103⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        104⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        105⤵
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        106⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        107⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        108⤵
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        109⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        110⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        112⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        113⤵
        Adds Run key to start application
        
        PID:2216
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        114⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        115⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        116⤵
        Adds Run key to start application
        
        PID:3012
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        117⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        118⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        119⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        120⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        121⤵
        
        PID:484
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        122⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        123⤵
        
        PID:592
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        124⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        125⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        126⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        127⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        128⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        129⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        130⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        131⤵
        Adds Run key to start application
        
        PID:1480
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        132⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        133⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        134⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        135⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        136⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        137⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        138⤵
        Adds Run key to start application
        
        PID:848
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        139⤵
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        140⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        141⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        142⤵
        
        PID:920
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        143⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        144⤵
        
        PID:804
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        145⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        146⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        147⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        148⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        149⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        150⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        151⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        152⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        153⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        154⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        155⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        156⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        157⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        158⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        159⤵
        Adds Run key to start application
        
        PID:2616
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        160⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        161⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        162⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        163⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        164⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        165⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        166⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        167⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        168⤵
        
        PID:944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        169⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        170⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        171⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        172⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        173⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        174⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        175⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        176⤵
        Adds Run key to start application
        
        PID:1176
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        177⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        178⤵
        
        PID:812
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        179⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        180⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        181⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        182⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        183⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        184⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        185⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        186⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        187⤵
        
        PID:276
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        188⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        189⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        190⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        191⤵
        
        PID:628
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        192⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        193⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        194⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        195⤵
        Adds Run key to start application
        
        PID:848
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        196⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        197⤵
        Adds Run key to start application
        
        PID:3008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        198⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        199⤵
        Adds Run key to start application
        
        PID:920
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        200⤵
        
        PID:304
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        201⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        202⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        203⤵
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        204⤵
        
        PID:468
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        205⤵
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        206⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        207⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        208⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        209⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        210⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        211⤵
        Adds Run key to start application
        
        PID:2208
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        212⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        213⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        214⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        215⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        216⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        217⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        218⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        219⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        220⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        221⤵
        Adds Run key to start application
        
        PID:636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        222⤵
        Adds Run key to start application
        
        PID:1652
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        223⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        224⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        225⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        226⤵
        Adds Run key to start application
        
        PID:1884
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        227⤵
        
        PID:544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        228⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        229⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        230⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        231⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        232⤵
        Adds Run key to start application
        
        PID:484
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        233⤵
        Adds Run key to start application
        
        PID:536
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        234⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        235⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        236⤵
        Adds Run key to start application
        
        PID:1208
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        237⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        238⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        239⤵
        
        PID:448
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        240⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        241⤵
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        242⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        243⤵
        Adds Run key to start application
        
        PID:308
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        244⤵
        
        PID:956
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        245⤵
        Adds Run key to start application
        
        PID:1576
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        246⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        247⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        248⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        249⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        250⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        251⤵
        Adds Run key to start application
        
        PID:1420
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        252⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        253⤵
        Adds Run key to start application
        
        PID:1832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        254⤵
        
        PID:896
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        255⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        256⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        257⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        258⤵
        Adds Run key to start application
        
        PID:1224
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        259⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        260⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        261⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        262⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        263⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        264⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        265⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        266⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        267⤵
        Adds Run key to start application
        
        PID:2680
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        268⤵
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        269⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        270⤵
        Adds Run key to start application
        
        PID:2868
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        271⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        272⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        273⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        274⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        275⤵
        Adds Run key to start application
        
        PID:1076
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        276⤵
        
        PID:988
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        277⤵
        Adds Run key to start application
        
        PID:1888
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        278⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        279⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        280⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        281⤵
        Adds Run key to start application
        
        PID:2436
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        282⤵
        
        PID:932
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        283⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        284⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        285⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        286⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        287⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        288⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        289⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        290⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        291⤵
        
        PID:380
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        292⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        293⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        294⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        295⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        296⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        297⤵
        
        PID:580
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        298⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        299⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        300⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        301⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        302⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        303⤵
        
        PID:904
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        304⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        305⤵
        
        PID:496
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        306⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        307⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        308⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        309⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        310⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        311⤵
        
        PID:828
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        312⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        313⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        314⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        315⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        316⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        317⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        318⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        319⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        320⤵
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        321⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        322⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        323⤵
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        324⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        325⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        326⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        327⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        328⤵
        Adds Run key to start application
        
        PID:2604
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        329⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        330⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        331⤵
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        332⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        333⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        334⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        335⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        336⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        337⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        338⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        339⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        340⤵
        Adds Run key to start application
        
        PID:1452
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        341⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        342⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        343⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        344⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        345⤵
        Adds Run key to start application
        
        PID:1140
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        346⤵
        Adds Run key to start application
        
        PID:3036
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        347⤵
        Adds Run key to start application
        
        PID:2264
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        348⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        349⤵
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysbin.exe

Filesize
681KB

MD5
5f2d2cdf37767260b91be36d179da558

SHA1
eb27613c41ae8ebc5eeb676744c9b97dfefb6d94

SHA256
d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435

SHA512
02c0e6f50e15ac803e1e4334a27a8c2e00c2578effcc7f69178d78c65d2060726adc40152745fc1d3dbb0123c58477372a183eeb6ecf3707ea9969267ba05ddd

Download Submit
C:\Windows\SysWOW64\systemdllxpc.vxd

Filesize
6B

MD5
d84b5f37816eecb2acbbe75241babb3e

SHA1
abe08de2156c4f124e9a83135f9206350196a763

SHA256
1aa0f9fc90d1c7e0c0285097c7799206b73cfff373ed1ef54ff7428293a0a432

SHA512
7d18bb846120967e1398f6d179a5dd439664eb67d743a9acfaa8e691d48ad9c5ca96f5e72f041aab8396981025597e1b00fd2e8651ae8f5865bf3c3574ebeef3

Download Submit
memory/268-116-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/308-118-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/592-106-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/880-154-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/896-138-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/984-128-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/988-56-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1020-73-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1072-132-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1084-124-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1136-120-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1140-203-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1168-91-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1208-108-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1232-85-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1360-180-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1420-134-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1452-68-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1492-136-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1608-150-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1640-160-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1692-122-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1708-11-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1708-164-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1708-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1884-194-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2012-188-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2036-184-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2056-144-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2104-152-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2132-146-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2212-148-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2240-49-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2240-182-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2264-104-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2288-61-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2304-140-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2328-155-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2400-112-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2412-110-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2424-190-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2456-126-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2460-178-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2476-114-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2572-176-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2580-44-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2600-186-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2616-37-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2640-142-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2676-172-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2692-166-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2696-170-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2696-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2696-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2700-174-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2724-168-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2756-196-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2764-32-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2808-98-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2844-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2844-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-162-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2924-198-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2932-200-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2980-80-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2996-192-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3048-130-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads