d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
Size

681KB
MD5

5f2d2cdf37767260b91be36d179da558
SHA1

eb27613c41ae8ebc5eeb676744c9b97dfefb6d94
SHA256

d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435
SHA512

02c0e6f50e15ac803e1e4334a27a8c2e00c2578effcc7f69178d78c65d2060726adc40152745fc1d3dbb0123c58477372a183eeb6ecf3707ea9969267ba05ddd
SSDEEP

12288:a9OkrDWvazofhAe+hK8assCtzATVSw90c1kOY:2DdEAe2taNEz050c1G

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysbin.exe

Executes dropped EXE 64 IoCs

pid	Process
1528	sysbin.exe
3760	sysbin.exe
4192	sysbin.exe
3452	sysbin.exe
5084	sysbin.exe
2544	sysbin.exe
4696	sysbin.exe
3704	sysbin.exe
3728	sysbin.exe
3580	sysbin.exe
3520	sysbin.exe
1484	sysbin.exe
3368	sysbin.exe
1716	sysbin.exe
4392	sysbin.exe
4920	sysbin.exe
2392	sysbin.exe
812	sysbin.exe
4732	sysbin.exe
2988	sysbin.exe
5104	sysbin.exe
4944	sysbin.exe
2480	sysbin.exe
1648	sysbin.exe
3236	sysbin.exe
2320	sysbin.exe
2712	sysbin.exe
4956	sysbin.exe
2152	sysbin.exe
3212	sysbin.exe
3124	sysbin.exe
2008	sysbin.exe
4900	sysbin.exe
1888	sysbin.exe
4272	sysbin.exe
4132	sysbin.exe
2408	sysbin.exe
4796	sysbin.exe
3820	sysbin.exe
2392	sysbin.exe
3496	sysbin.exe
4420	sysbin.exe
632	sysbin.exe
1100	sysbin.exe
2572	sysbin.exe
4468	sysbin.exe
1040	sysbin.exe
2928	sysbin.exe
2528	sysbin.exe
2012	sysbin.exe
4456	sysbin.exe
4164	sysbin.exe
1912	sysbin.exe
2748	sysbin.exe
3376	sysbin.exe
668	sysbin.exe
2816	sysbin.exe
2008	sysbin.exe
3564	sysbin.exe
4188	sysbin.exe
4388	sysbin.exe
4404	sysbin.exe
1972	sysbin.exe
3740	sysbin.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshe = "sysbin.exe"	sysbin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File created	C:\Windows\SysWOW64\sysbin.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\systemdllxpc.vxd	sysbin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1528	3136	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	85
PID 3136 wrote to memory of 1528	3136	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	85
PID 3136 wrote to memory of 1528	3136	5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe	85
PID 1528 wrote to memory of 3760	1528	sysbin.exe	88
PID 1528 wrote to memory of 3760	1528	sysbin.exe	88
PID 1528 wrote to memory of 3760	1528	sysbin.exe	88
PID 3760 wrote to memory of 4192	3760	sysbin.exe	89
PID 3760 wrote to memory of 4192	3760	sysbin.exe	89
PID 3760 wrote to memory of 4192	3760	sysbin.exe	89
PID 4192 wrote to memory of 3452	4192	sysbin.exe	90
PID 4192 wrote to memory of 3452	4192	sysbin.exe	90
PID 4192 wrote to memory of 3452	4192	sysbin.exe	90
PID 3452 wrote to memory of 5084	3452	sysbin.exe	91
PID 3452 wrote to memory of 5084	3452	sysbin.exe	91
PID 3452 wrote to memory of 5084	3452	sysbin.exe	91
PID 5084 wrote to memory of 2544	5084	sysbin.exe	92
PID 5084 wrote to memory of 2544	5084	sysbin.exe	92
PID 5084 wrote to memory of 2544	5084	sysbin.exe	92
PID 2544 wrote to memory of 4696	2544	sysbin.exe	95
PID 2544 wrote to memory of 4696	2544	sysbin.exe	95
PID 2544 wrote to memory of 4696	2544	sysbin.exe	95
PID 4696 wrote to memory of 3704	4696	sysbin.exe	96
PID 4696 wrote to memory of 3704	4696	sysbin.exe	96
PID 4696 wrote to memory of 3704	4696	sysbin.exe	96
PID 3704 wrote to memory of 3728	3704	sysbin.exe	99
PID 3704 wrote to memory of 3728	3704	sysbin.exe	99
PID 3704 wrote to memory of 3728	3704	sysbin.exe	99
PID 3728 wrote to memory of 3580	3728	sysbin.exe	100
PID 3728 wrote to memory of 3580	3728	sysbin.exe	100
PID 3728 wrote to memory of 3580	3728	sysbin.exe	100
PID 3580 wrote to memory of 3520	3580	sysbin.exe	101
PID 3580 wrote to memory of 3520	3580	sysbin.exe	101
PID 3580 wrote to memory of 3520	3580	sysbin.exe	101
PID 3520 wrote to memory of 1484	3520	sysbin.exe	102
PID 3520 wrote to memory of 1484	3520	sysbin.exe	102
PID 3520 wrote to memory of 1484	3520	sysbin.exe	102
PID 1484 wrote to memory of 3368	1484	sysbin.exe	103
PID 1484 wrote to memory of 3368	1484	sysbin.exe	103
PID 1484 wrote to memory of 3368	1484	sysbin.exe	103
PID 3368 wrote to memory of 1716	3368	sysbin.exe	105
PID 3368 wrote to memory of 1716	3368	sysbin.exe	105
PID 3368 wrote to memory of 1716	3368	sysbin.exe	105
PID 1716 wrote to memory of 4392	1716	sysbin.exe	106
PID 1716 wrote to memory of 4392	1716	sysbin.exe	106
PID 1716 wrote to memory of 4392	1716	sysbin.exe	106
PID 4392 wrote to memory of 4920	4392	sysbin.exe	107
PID 4392 wrote to memory of 4920	4392	sysbin.exe	107
PID 4392 wrote to memory of 4920	4392	sysbin.exe	107
PID 4920 wrote to memory of 2392	4920	sysbin.exe	108
PID 4920 wrote to memory of 2392	4920	sysbin.exe	108
PID 4920 wrote to memory of 2392	4920	sysbin.exe	108
PID 2392 wrote to memory of 812	2392	sysbin.exe	109
PID 2392 wrote to memory of 812	2392	sysbin.exe	109
PID 2392 wrote to memory of 812	2392	sysbin.exe	109
PID 812 wrote to memory of 4732	812	sysbin.exe	111
PID 812 wrote to memory of 4732	812	sysbin.exe	111
PID 812 wrote to memory of 4732	812	sysbin.exe	111
PID 4732 wrote to memory of 2988	4732	sysbin.exe	112
PID 4732 wrote to memory of 2988	4732	sysbin.exe	112
PID 4732 wrote to memory of 2988	4732	sysbin.exe	112
PID 2988 wrote to memory of 5104	2988	sysbin.exe	113
PID 2988 wrote to memory of 5104	2988	sysbin.exe	113
PID 2988 wrote to memory of 5104	2988	sysbin.exe	113
PID 5104 wrote to memory of 4944	5104	sysbin.exe	114

C:\Users\Admin\AppData\Local\Temp\5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f2d2cdf37767260b91be36d179da558_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\SysWOW64\sysbin.exe
  "C:\Windows\system32\sysbin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\sysbin.exe
    "C:\Windows\system32\sysbin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\SysWOW64\sysbin.exe
      "C:\Windows\system32\sysbin.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        23⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        24⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        25⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        28⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4956
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        30⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        31⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        32⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        34⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        35⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        36⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        39⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        40⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3496
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1100
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        48⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2528
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        51⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        54⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2748
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        56⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:668
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        58⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        61⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        62⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        65⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        66⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        67⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        68⤵
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        69⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        70⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        71⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        72⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        73⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        74⤵
        Checks computer location settings
        
        PID:3700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        75⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        76⤵
        Adds Run key to start application
        
        PID:4172
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        77⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        78⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        79⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        80⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        81⤵
        Adds Run key to start application
        
        PID:4800
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        82⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        83⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        84⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        85⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        86⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        87⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        88⤵
        Adds Run key to start application
        
        PID:436
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        89⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        90⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2988
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        92⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        93⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        94⤵
        Adds Run key to start application
        
        PID:2572
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        95⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        96⤵
        Checks computer location settings
        
        PID:2188
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        97⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        98⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        99⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        100⤵
        Adds Run key to start application
        
        PID:3476
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        101⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        102⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        104⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        105⤵
        Adds Run key to start application
        
        PID:4024
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        106⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        107⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        108⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        109⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        110⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        111⤵
        
        PID:844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        112⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        113⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        114⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        115⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        116⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        117⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        118⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2236
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        119⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        120⤵
        
        PID:760
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        122⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        123⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        124⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        125⤵
        Adds Run key to start application
        
        PID:452
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        126⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        127⤵
        Checks computer location settings
        
        PID:1488
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        128⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        129⤵
        Adds Run key to start application
        
        PID:1780
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        130⤵
        Checks computer location settings
        
        PID:3436
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        131⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        132⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        133⤵
        
        PID:960
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        134⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        135⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        136⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        137⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        138⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        139⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        140⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        141⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        142⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        143⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        144⤵
        Adds Run key to start application
        
        PID:4944
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        145⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        146⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        147⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        148⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        149⤵
        Adds Run key to start application
        
        PID:3772
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        150⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        151⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        152⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        153⤵
        Adds Run key to start application
        
        PID:3872
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        154⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        155⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        156⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        157⤵
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        158⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        159⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        160⤵
        Adds Run key to start application
        
        PID:4024
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        161⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        162⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        163⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        164⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        165⤵
        Checks computer location settings
        
        PID:3368
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        166⤵
        
        PID:208
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        167⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        168⤵
        Adds Run key to start application
        
        PID:4388
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        169⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        170⤵
        Checks computer location settings
        
        PID:1712
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        171⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        172⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        173⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        174⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        175⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        176⤵
        Checks computer location settings
        
        PID:2160
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        177⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        178⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        179⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        180⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        181⤵
        Checks computer location settings
        
        PID:4528
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        182⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        183⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        184⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        185⤵
        Checks computer location settings
        
        PID:1596
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        186⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4184
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        187⤵
        Checks computer location settings
        
        PID:4896
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        188⤵
        Adds Run key to start application
        
        PID:3080
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        189⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        190⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        191⤵
        
        PID:700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        192⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        193⤵
        Adds Run key to start application
        
        PID:3456
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        194⤵
        Adds Run key to start application
        
        PID:3160
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        195⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        196⤵
        Adds Run key to start application
        
        PID:1964
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        197⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        198⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        199⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        200⤵
        
        PID:60
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        201⤵
        Adds Run key to start application
        
        PID:4860
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        202⤵
        Checks computer location settings
        
        PID:2860
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        203⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        204⤵
        Adds Run key to start application
        
        PID:2344
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        205⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        206⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        207⤵
        Adds Run key to start application
        
        PID:2708
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        208⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        209⤵
        Checks computer location settings
        
        PID:2896
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        210⤵
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        211⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        212⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        213⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        214⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        215⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        216⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        217⤵
        Checks computer location settings
        
        PID:3852
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        218⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        219⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        220⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        221⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        222⤵
        Adds Run key to start application
        
        PID:1232
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        223⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        224⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        225⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        226⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        227⤵
        Checks computer location settings
        
        PID:4612
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        228⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        229⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        230⤵
        
        PID:548
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        231⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        232⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        233⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        234⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        235⤵
        Checks computer location settings
        
        PID:2344
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        236⤵
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        237⤵
        Adds Run key to start application
        
        PID:5032
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        238⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        239⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        240⤵
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        241⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1128
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        242⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        243⤵
        
        PID:696
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        244⤵
        Adds Run key to start application
        
        PID:5056
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        245⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2408
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        246⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        247⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:908
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        248⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        249⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        250⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        251⤵
        Checks computer location settings
        
        PID:2872
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        252⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        253⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4900
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        254⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3564
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        255⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        256⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        257⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        258⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        259⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        260⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        261⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        262⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        263⤵
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        264⤵
        Adds Run key to start application
        
        PID:1692
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        265⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        266⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        267⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        268⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        269⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:844
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        270⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        271⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        272⤵
        
        PID:700
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        273⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        274⤵
        Checks computer location settings
        
        PID:3828
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        275⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        276⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        277⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        278⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        279⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        280⤵
        Adds Run key to start application
        
        PID:3092
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        281⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\sysbin.exe
        
        "C:\Windows\system32\sysbin.exe"
        282⤵
        
        PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysbin.exe

Filesize
681KB

MD5
5f2d2cdf37767260b91be36d179da558

SHA1
eb27613c41ae8ebc5eeb676744c9b97dfefb6d94

SHA256
d3df3996ee18be7a67baf9e14ded3de62767372fc18df12a9efbb98df8102435

SHA512
02c0e6f50e15ac803e1e4334a27a8c2e00c2578effcc7f69178d78c65d2060726adc40152745fc1d3dbb0123c58477372a183eeb6ecf3707ea9969267ba05ddd

Download Submit
C:\Windows\SysWOW64\systemdllxpc.vxd

Filesize
6B

MD5
d84b5f37816eecb2acbbe75241babb3e

SHA1
abe08de2156c4f124e9a83135f9206350196a763

SHA256
1aa0f9fc90d1c7e0c0285097c7799206b73cfff373ed1ef54ff7428293a0a432

SHA512
7d18bb846120967e1398f6d179a5dd439664eb67d743a9acfaa8e691d48ad9c5ca96f5e72f041aab8396981025597e1b00fd2e8651ae8f5865bf3c3574ebeef3

Download Submit
memory/632-163-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/668-189-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/812-87-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1040-171-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1100-165-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1484-63-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1528-18-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1528-16-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1648-111-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1716-71-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1888-145-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1912-183-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1972-203-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2008-141-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2008-193-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2012-177-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2152-131-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2320-119-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2392-157-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2392-83-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2408-151-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2480-107-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2528-175-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2544-39-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2572-167-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2712-123-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2748-185-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2816-191-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2928-173-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2988-95-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3124-139-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3136-2-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3136-13-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3212-135-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3236-115-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3368-67-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3376-187-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3452-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3496-159-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3520-59-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3564-195-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3580-55-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3704-47-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3728-51-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3760-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3760-21-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3820-155-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4132-149-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4164-181-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4188-197-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4192-27-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4272-147-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4388-199-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4392-75-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4404-201-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4420-161-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4456-179-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4468-169-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4696-43-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4732-91-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4796-153-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4900-143-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4920-79-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4944-103-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4956-127-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5084-35-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5104-99-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads