12b9716fee979c9f803b760b330973ea69a9d69292461beee0906c70b68e20ec

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
Size

2.3MB
MD5

66613048c0761907dbf89e63a3c2b060
SHA1

508d73343ad03ea9bb16dc240afa45dbfd7e6fc3
SHA256

12b9716fee979c9f803b760b330973ea69a9d69292461beee0906c70b68e20ec
SHA512

813de5f238ce90ff8793e0a28819c3034e42c367d2318e501ad8fab652c03dda604c47e7869289585de9759d73e0a1721c47f223d52c6a92ef255b29ad8e359e
SSDEEP

49152:FDvXGceY326TxwJWt7183xaV5LPt0ycIvC2Tf6K1IrdBO:RXGcX3280haVruIvXiB+

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
1340	X7dEL8gRZhXkVlB.exe
2116	vK8fRL9hTqUeIrO.exe
2740	BEL8gRZqhXkVlBz.exe
2788	mfRL9gTXqYeIrOt.exe
2844	oXwjUVelItPyAuD.exe
2680	tqjYCwkIVlNx0c1.exe
2676	aA1uvS2ob3m5Q.exe
2504	iYCwkUVrlBx0c1v.exe
3020	HrzONyxA0v2b3n5.exe
1520	NqhYXwkUVlBz0c1.exe
2984	SCekIVrzOtAuSiD.exe
1504	fUVelIBtzNc1v2b.exe
2728	oucS1ibD3n4.exe
2380	jelIBtzPNc1v2b4.exe
2492	FONtxP0uc1b3n4m.exe
1928	hzPNyxA1uSoFpGa.exe
1632	monF4amH5W7E8.exe
284	sekIBrzONx0v2b3.exe
1320	JwkUVelOBz0c1v2.exe
848	PK7fRL9gTqYeIrO.exe
1544	KF4pmH5sQ7E8R9Y.exe
992	xtxA0ucS2b3n4Q6.exe
1032	xIBtzPNyc1v2b4m.exe
2264	xwkIVrlONx0c1b3.exe
356	AXwjUCelIrPyAuS.exe
2568	RWK7fEL9gZjCkVl.exe
1616	ZsQJ6dEK8R9TwUe.exe
1732	p4amH6sWJfLgZhC.exe
2436	G3pmG5aQJdKfLhX.exe
2916	p1ivD3onFaHs.exe
2116	ZyxA0uvS2.exe
2832	T8gRZqhYXkVl.exe
2204	F5aQH6dWKfLgXjC.exe
2852	FnF4pmH5sJdKgZh.exe
2320	F2ibD3pnGaHsKfL.exe
2892	E9hYXwjUVlBzNc1.exe
2652	uQH6sWK7f.exe
2356	PUVelOBtz0c1v2n.exe
2700	xXqjYCekIrOtAuS.exe
3060	qZ9hYXwjUeItPyA.exe
3032	tWK7fEL9gZjCk.exe
3008	HcA1uvD2oFpGsJd.exe
3044	XL9gTZqjYwIrOtP.exe
840	hJ6dEK8fR9TwUeI.exe
2368	yNtxP0ucSiDoGaH.exe
2344	fXwjUCelIr.exe
2100	bbD3onG4aHs.exe
2576	FCelIBrzPyAuSoF.exe
2496	l3onG4amHsJfLgZ.exe
1232	hBtzPNycAuDoFpG.exe
1096	oTZqjYCwkVlNx0.exe
1084	kuvD2obF4m5Q6E.exe
2032	NCwkIVrlOtPuSiD.exe
1692	b8fRZ9hTXjClBz.exe
2472	V0ucS1ibDoGaHsJ.exe
1452	ZXwjUCelIrPyAuS.exe
2056	l7fEL8gTZhCkVlB.exe

Loads dropped DLL 64 IoCs

pid	Process
2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
1340	X7dEL8gRZhXkVlB.exe
1340	X7dEL8gRZhXkVlB.exe
2116	vK8fRL9hTqUeIrO.exe
2116	vK8fRL9hTqUeIrO.exe
2740	BEL8gRZqhXkVlBz.exe
2740	BEL8gRZqhXkVlBz.exe
2788	mfRL9gTXqYeIrOt.exe
2788	mfRL9gTXqYeIrOt.exe
2844	oXwjUVelItPyAuD.exe
2844	oXwjUVelItPyAuD.exe
2680	tqjYCwkIVlNx0c1.exe
2680	tqjYCwkIVlNx0c1.exe
2676	aA1uvS2ob3m5Q.exe
2676	aA1uvS2ob3m5Q.exe
2504	iYCwkUVrlBx0c1v.exe
2504	iYCwkUVrlBx0c1v.exe
3020	HrzONyxA0v2b3n5.exe
3020	HrzONyxA0v2b3n5.exe
1520	NqhYXwkUVlBz0c1.exe
1520	NqhYXwkUVlBz0c1.exe
2984	SCekIVrzOtAuSiD.exe
2984	SCekIVrzOtAuSiD.exe
1504	fUVelIBtzNc1v2b.exe
1504	fUVelIBtzNc1v2b.exe
2728	oucS1ibD3n4.exe
2728	oucS1ibD3n4.exe
2380	jelIBtzPNc1v2b4.exe
2380	jelIBtzPNc1v2b4.exe
2492	FONtxP0uc1b3n4m.exe
2492	FONtxP0uc1b3n4m.exe
1928	hzPNyxA1uSoFpGa.exe
1928	hzPNyxA1uSoFpGa.exe
1632	monF4amH5W7E8.exe
1632	monF4amH5W7E8.exe
284	sekIBrzONx0v2b3.exe
284	sekIBrzONx0v2b3.exe
1320	JwkUVelOBz0c1v2.exe
1320	JwkUVelOBz0c1v2.exe
848	PK7fRL9gTqYeIrO.exe
848	PK7fRL9gTqYeIrO.exe
1544	KF4pmH5sQ7E8R9Y.exe
1544	KF4pmH5sQ7E8R9Y.exe
992	xtxA0ucS2b3n4Q6.exe
992	xtxA0ucS2b3n4Q6.exe
1032	xIBtzPNyc1v2b4m.exe
1032	xIBtzPNyc1v2b4m.exe
2264	xwkIVrlONx0c1b3.exe
2264	xwkIVrlONx0c1b3.exe
356	AXwjUCelIrPyAuS.exe
356	AXwjUCelIrPyAuS.exe
2568	RWK7fEL9gZjCkVl.exe
2568	RWK7fEL9gZjCkVl.exe
1616	ZsQJ6dEK8R9TwUe.exe
1616	ZsQJ6dEK8R9TwUe.exe
1732	p4amH6sWJfLgZhC.exe
1732	p4amH6sWJfLgZhC.exe
2436	G3pmG5aQJdKfLhX.exe
2436	G3pmG5aQJdKfLhX.exe
2916	p1ivD3onFaHs.exe
2916	p1ivD3onFaHs.exe
2116	ZyxA0uvS2.exe
2116	ZyxA0uvS2.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-1-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2596-2-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2596-12-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1340-14-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1340-15-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1340-25-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2116-36-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2740-47-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2788-58-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2844-69-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2680-80-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2676-91-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2504-102-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/3020-113-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1520-124-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2984-135-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1504-146-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2728-157-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2380-168-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2492-179-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1928-188-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1632-195-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/284-202-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1320-209-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/848-216-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1544-223-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/992-230-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1032-237-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2264-244-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/356-251-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2568-258-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1616-265-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/1732-272-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2436-279-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2916-286-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx
behavioral1/memory/2116-293-0x0000000000400000-0x0000000000CB2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sK8fRZ9hTwUelB8234A = "C:\\Windows\\system32\\HcA1uvD2oFpGsJd.exe"	tWK7fEL9gZjCk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\o8fRZ9hTXjC8234A = "C:\\Windows\\system32\\kuvD2obF4m5Q6E.exe"	oTZqjYCwkVlNx0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fNyxA1uvSo8234A = "C:\\Windows\\system32\\b8fRZ9hTXjClBz.exe"	NCwkIVrlOtPuSiD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fnF4pmH5sJdKg8234A = "C:\\Windows\\system32\\JwkUVelOBz0c1v2.exe"	sekIBrzONx0v2b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gVrlONtxPuSiDoG8234A = "C:\\Windows\\system32\\tWK7fEL9gZjCk.exe"	qZ9hYXwjUeItPyA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FhYCwkUVrOtP8234A = "C:\\Windows\\system32\\l3onG4amHsJfLgZ.exe"	FCelIBrzPyAuSoF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hA1ivD2on4m5Q7E8234A = "C:\\Windows\\system32\\BEL8gRZqhXkVlBz.exe"	vK8fRL9hTqUeIrO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pBtzP0ycAiDoFpH8234A = "C:\\Windows\\system32\\T8gRZqhYXkVl.exe"	ZyxA0uvS2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FJ7dEL8gRqYwUeO8234A = "C:\\Windows\\system32\\p1ivD3onFaHs.exe"	G3pmG5aQJdKfLhX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SsQJ6dEK8R9TwUe8234A = "C:\\Windows\\system32\\hBtzPNycAuDoFpG.exe"	l3onG4amHsJfLgZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dQH6dWK7fLgXjCk8234A = "C:\\Windows\\system32\\HrzONyxA0v2b3n5.exe"	iYCwkUVrlBx0c1v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qNtxP0ucSiDoGaH8234A = "C:\\Windows\\system32\\RWK7fEL9gZjCkVl.exe"	AXwjUCelIrPyAuS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvD2obF4pGsJdK8234A = "C:\\Windows\\system32\\E9hYXwjUVlBzNc1.exe"	F2ibD3pnGaHsKfL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HibD3pnG4Q6W7E98234A = "C:\\Windows\\system32\\xXqjYCekIrOtAuS.exe"	PUVelOBtz0c1v2n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\R3onF4amHsJdLgZ8234A = "C:\\Windows\\system32\\iYCwkUVrlBx0c1v.exe"	aA1uvS2ob3m5Q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DmG5sQJ6dKfZhXj8234A = "C:\\Windows\\system32\\jelIBtzPNc1v2b4.exe"	oucS1ibD3n4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cuvD2obF4m5Q6E88234A = "C:\\Windows\\system32\\qZ9hYXwjUeItPyA.exe"	xXqjYCekIrOtAuS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jzP0ycA1iDoFp8234A = "C:\\Windows\\system32\\X7dEL8gRZhXkVlB.exe"	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\u3onG4amHsJfLgZ8234A = "C:\\Windows\\system32\\tqjYCwkIVlNx0c1.exe"	oXwjUVelItPyAuD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CA0ucS2ib3n4Q68234A = "C:\\Windows\\system32\\mfRL9gTXqYeIrOt.exe"	BEL8gRZqhXkVlBz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GxP0ycS1iDoFa8234A = "C:\\Windows\\system32\\l7fEL8gTZhCkVlB.exe"	ZXwjUCelIrPyAuS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hIBrzPNyx1v2b3m8234A = "C:\\Windows\\system32\\ZsQJ6dEK8R9TwUe.exe"	RWK7fEL9gZjCkVl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apmG5aQJ6W8R98234A = "C:\\Windows\\system32\\FCelIBrzPyAuSoF.exe"	bbD3onG4aHs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msWJ7fEL8TqYwUr8234A = "C:\\Windows\\system32\\FONtxP0uc1b3n4m.exe"	jelIBtzPNc1v2b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JWK7fEL9gZjCkVl8234A = "C:\\Windows\\system32\\xtxA0ucS2b3n4Q6.exe"	KF4pmH5sQ7E8R9Y.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\J5sQJ6dEKfZhXjC8234A = "C:\\Windows\\system32\\xIBtzPNyc1v2b4m.exe"	xtxA0ucS2b3n4Q6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UbF3pnG5aHdKfL8234A = "C:\\Windows\\system32\\ZyxA0uvS2.exe"	p1ivD3onFaHs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kucS1ibD3n4m6W78234A = "C:\\Windows\\system32\\XL9gTZqjYwIrOtP.exe"	HcA1uvD2oFpGsJd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxA0uvS2iFpGaH8234A = "C:\\Windows\\system32\\vK8fRL9hTqUeIrO.exe"	X7dEL8gRZhXkVlB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\umH6sWJ7fLgZhCk8234A = "C:\\Windows\\system32\\oucS1ibD3n4.exe"	fUVelIBtzNc1v2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YkUVrlOBtPySiDo8234A = "C:\\Windows\\system32\\p4amH6sWJfLgZhC.exe"	ZsQJ6dEK8R9TwUe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BcS1ibD3oG8234A = "C:\\Windows\\system32\\oTZqjYCwkVlNx0.exe"	hBtzPNycAuDoFpG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ArzPNyxA1v2b8234A = "C:\\Windows\\system32\\hJ6dEK8fR9TwUeI.exe"	XL9gTZqjYwIrOtP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AD2onF4pm5Q7E8R8234A = "C:\\Windows\\system32\\NqhYXwkUVlBz0c1.exe"	HrzONyxA0v2b3n5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\u4pmH5sQJdKgZhX8234A = "C:\\Windows\\system32\\PUVelOBtz0c1v2n.exe"	uQH6sWK7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gwjUVelIBzNc1v8234A = "C:\\Windows\\system32\\KF4pmH5sQ7E8R9Y.exe"	PK7fRL9gTqYeIrO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xonG4amH6W7E8Tq8234A = "C:\\Windows\\system32\\NCwkIVrlOtPuSiD.exe"	kuvD2obF4m5Q6E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jobF3pmG5Q6W8R98234A = "C:\\Windows\\system32\\ZXwjUCelIrPyAuS.exe"	V0ucS1ibDoGaHsJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SJ6dWK8fR9TqUeI8234A = "C:\\Windows\\system32\\hzPNyxA1uSoFpGa.exe"	FONtxP0uc1b3n4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PRZqhYXwkVlBz0c8234A = "C:\\Windows\\system32\\monF4amH5W7E8.exe"	hzPNyxA1uSoFpGa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pXwjUVelItPyAuD8234A = "C:\\Windows\\system32\\FnF4pmH5sJdKgZh.exe"	F5aQH6dWKfLgXjC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TobF4pmG5Q6E8R98234A = "C:\\Windows\\system32\\oXwjUVelItPyAuD.exe"	mfRL9gTXqYeIrOt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JnG4amH6sJfLgZh8234A = "C:\\Windows\\system32\\xwkIVrlONx0c1b3.exe"	xIBtzPNyc1v2b4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LL9gTZqjYwIrOt8234A = "C:\\Windows\\system32\\uQH6sWK7f.exe"	E9hYXwjUVlBzNc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P4pmG5sQJdKfZhX8234A = "C:\\Windows\\system32\\fUVelIBtzNc1v2b.exe"	SCekIVrzOtAuSiD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UnG5aQH6dKfLgX8234A = "C:\\Windows\\system32\\sekIBrzONx0v2b3.exe"	monF4amH5W7E8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdWK8fRL98234A = "C:\\Windows\\system32\\aA1uvS2ob3m5Q.exe"	tqjYCwkIVlNx0c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iobF3pmG5Q6E88234A = "C:\\Windows\\system32\\AXwjUCelIrPyAuS.exe"	xwkIVrlONx0c1b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pkIVrzONtAuSiDp8234A = "C:\\Windows\\system32\\F5aQH6dWKfLgXjC.exe"	T8gRZqhYXkVl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pgTZqjYCwIrO8234A = "C:\\Windows\\system32\\F2ibD3pnGaHsKfL.exe"	FnF4pmH5sJdKgZh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UPNyxA1uv2b3m5Q8234A = "C:\\Windows\\system32\\fXwjUCelIr.exe"	yNtxP0ucSiDoGaH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\opnG4aQH6W7E9Tq8234A = "C:\\Windows\\system32\\SCekIVrzOtAuSiD.exe"	NqhYXwkUVlBz0c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjUCekIBrOyAuS8234A = "C:\\Windows\\system32\\G3pmG5aQJdKfLhX.exe"	p4amH6sWJfLgZhC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cJ7fEL8gTqYwUrO8234A = "C:\\Windows\\system32\\bbD3onG4aHs.exe"	fXwjUCelIr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfEL8gTZqYwUr8234A = "C:\\Windows\\system32\\V0ucS1ibDoGaHsJ.exe"	b8fRZ9hTXjClBz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ytxA0ucS2b3n4Q68234A = "C:\\Windows\\system32\\PK7fRL9gTqYeIrO.exe"	JwkUVelOBz0c1v2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QsWJ7fEL8TqYwU8234A = "C:\\Windows\\system32\\yNtxP0ucSiDoGaH.exe"	hJ6dEK8fR9TwUeI.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iYCwkUVrlBx0c1v.exe	aA1uvS2ob3m5Q.exe
File created	C:\Windows\SysWOW64\F2ibD3pnGaHsKfL.exe	FnF4pmH5sJdKgZh.exe
File created	C:\Windows\SysWOW64\tWK7fEL9gZjCk.exe	qZ9hYXwjUeItPyA.exe
File created	C:\Windows\SysWOW64\yNtxP0ucSiDoGaH.exe	hJ6dEK8fR9TwUeI.exe
File created	C:\Windows\SysWOW64\oXwjUVelItPyAuD.exe	mfRL9gTXqYeIrOt.exe
File created	C:\Windows\SysWOW64\AXwjUCelIrPyAuS.exe	xwkIVrlONx0c1b3.exe
File created	C:\Windows\SysWOW64\FnF4pmH5sJdKgZh.exe	F5aQH6dWKfLgXjC.exe
File created	C:\Windows\SysWOW64\FCelIBrzPyAuSoF.exe	bbD3onG4aHs.exe
File created	C:\Windows\SysWOW64\l7fEL8gTZhCkVlB.exe	ZXwjUCelIrPyAuS.exe
File created	C:\Windows\SysWOW64\X7dEL8gRZhXkVlB.exe	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NqhYXwkUVlBz0c1.exe	HrzONyxA0v2b3n5.exe
File created	C:\Windows\SysWOW64\oucS1ibD3n4.exe	fUVelIBtzNc1v2b.exe
File created	C:\Windows\SysWOW64\b8fRZ9hTXjClBz.exe	NCwkIVrlOtPuSiD.exe
File created	C:\Windows\SysWOW64\vK8fRL9hTqUeIrO.exe	X7dEL8gRZhXkVlB.exe
File created	C:\Windows\SysWOW64\T8gRZqhYXkVl.exe	ZyxA0uvS2.exe
File created	C:\Windows\SysWOW64\bbD3onG4aHs.exe	fXwjUCelIr.exe
File created	C:\Windows\SysWOW64\aA1uvS2ob3m5Q.exe	tqjYCwkIVlNx0c1.exe
File created	C:\Windows\SysWOW64\xXqjYCekIrOtAuS.exe	PUVelOBtz0c1v2n.exe
File created	C:\Windows\SysWOW64\E9hYXwjUVlBzNc1.exe	F2ibD3pnGaHsKfL.exe
File created	C:\Windows\SysWOW64\G3pmG5aQJdKfLhX.exe	p4amH6sWJfLgZhC.exe
File created	C:\Windows\SysWOW64\RWK7fEL9gZjCkVl.exe	AXwjUCelIrPyAuS.exe
File created	C:\Windows\SysWOW64\jelIBtzPNc1v2b4.exe	oucS1ibD3n4.exe
File created	C:\Windows\SysWOW64\kuvD2obF4m5Q6E.exe	oTZqjYCwkVlNx0.exe
File created	C:\Windows\SysWOW64\ZXwjUCelIrPyAuS.exe	V0ucS1ibDoGaHsJ.exe
File created	C:\Windows\SysWOW64\mfRL9gTXqYeIrOt.exe	BEL8gRZqhXkVlBz.exe
File created	C:\Windows\SysWOW64\KF4pmH5sQ7E8R9Y.exe	PK7fRL9gTqYeIrO.exe
File created	C:\Windows\SysWOW64\hJ6dEK8fR9TwUeI.exe	XL9gTZqjYwIrOtP.exe
File created	C:\Windows\SysWOW64\NCwkIVrlOtPuSiD.exe	kuvD2obF4m5Q6E.exe
File created	C:\Windows\SysWOW64\sekIBrzONx0v2b3.exe	monF4amH5W7E8.exe
File created	C:\Windows\SysWOW64\JwkUVelOBz0c1v2.exe	sekIBrzONx0v2b3.exe
File created	C:\Windows\SysWOW64\fXwjUCelIr.exe	yNtxP0ucSiDoGaH.exe
File created	C:\Windows\SysWOW64\l3onG4amHsJfLgZ.exe	FCelIBrzPyAuSoF.exe
File created	C:\Windows\SysWOW64\tqjYCwkIVlNx0c1.exe	oXwjUVelItPyAuD.exe
File created	C:\Windows\SysWOW64\ZsQJ6dEK8R9TwUe.exe	RWK7fEL9gZjCkVl.exe
File created	C:\Windows\SysWOW64\F5aQH6dWKfLgXjC.exe	T8gRZqhYXkVl.exe
File created	C:\Windows\SysWOW64\xtxA0ucS2b3n4Q6.exe	KF4pmH5sQ7E8R9Y.exe
File created	C:\Windows\SysWOW64\xIBtzPNyc1v2b4m.exe	xtxA0ucS2b3n4Q6.exe
File created	C:\Windows\SysWOW64\p1ivD3onFaHs.exe	G3pmG5aQJdKfLhX.exe
File created	C:\Windows\SysWOW64\PUVelOBtz0c1v2n.exe	uQH6sWK7f.exe
File created	C:\Windows\SysWOW64\monF4amH5W7E8.exe	hzPNyxA1uSoFpGa.exe
File created	C:\Windows\SysWOW64\HcA1uvD2oFpGsJd.exe	tWK7fEL9gZjCk.exe
File created	C:\Windows\SysWOW64\FONtxP0uc1b3n4m.exe	jelIBtzPNc1v2b4.exe
File created	C:\Windows\SysWOW64\SCekIVrzOtAuSiD.exe	NqhYXwkUVlBz0c1.exe
File created	C:\Windows\SysWOW64\fUVelIBtzNc1v2b.exe	SCekIVrzOtAuSiD.exe
File created	C:\Windows\SysWOW64\uQH6sWK7f.exe	E9hYXwjUVlBzNc1.exe
File created	C:\Windows\SysWOW64\BEL8gRZqhXkVlBz.exe	vK8fRL9hTqUeIrO.exe
File created	C:\Windows\SysWOW64\hBtzPNycAuDoFpG.exe	l3onG4amHsJfLgZ.exe
File created	C:\Windows\SysWOW64\V0ucS1ibDoGaHsJ.exe	b8fRZ9hTXjClBz.exe
File created	C:\Windows\SysWOW64\hzPNyxA1uSoFpGa.exe	FONtxP0uc1b3n4m.exe
File created	C:\Windows\SysWOW64\oTZqjYCwkVlNx0.exe	hBtzPNycAuDoFpG.exe
File created	C:\Windows\SysWOW64\PK7fRL9gTqYeIrO.exe	JwkUVelOBz0c1v2.exe
File created	C:\Windows\SysWOW64\xwkIVrlONx0c1b3.exe	xIBtzPNyc1v2b4m.exe
File created	C:\Windows\SysWOW64\p4amH6sWJfLgZhC.exe	ZsQJ6dEK8R9TwUe.exe
File created	C:\Windows\SysWOW64\ZyxA0uvS2.exe	p1ivD3onFaHs.exe
File created	C:\Windows\SysWOW64\qZ9hYXwjUeItPyA.exe	xXqjYCekIrOtAuS.exe
File created	C:\Windows\SysWOW64\XL9gTZqjYwIrOtP.exe	HcA1uvD2oFpGsJd.exe
File created	C:\Windows\SysWOW64\HrzONyxA0v2b3n5.exe	iYCwkUVrlBx0c1v.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
1340	X7dEL8gRZhXkVlB.exe
2116	vK8fRL9hTqUeIrO.exe
2740	BEL8gRZqhXkVlBz.exe
2788	mfRL9gTXqYeIrOt.exe
2844	oXwjUVelItPyAuD.exe
2680	tqjYCwkIVlNx0c1.exe
2676	aA1uvS2ob3m5Q.exe
2504	iYCwkUVrlBx0c1v.exe
3020	HrzONyxA0v2b3n5.exe
1520	NqhYXwkUVlBz0c1.exe
2984	SCekIVrzOtAuSiD.exe
1504	fUVelIBtzNc1v2b.exe
2728	oucS1ibD3n4.exe
2380	jelIBtzPNc1v2b4.exe
2492	FONtxP0uc1b3n4m.exe
1928	hzPNyxA1uSoFpGa.exe
1632	monF4amH5W7E8.exe
284	sekIBrzONx0v2b3.exe
1320	JwkUVelOBz0c1v2.exe
848	PK7fRL9gTqYeIrO.exe
1544	KF4pmH5sQ7E8R9Y.exe
992	xtxA0ucS2b3n4Q6.exe
1032	xIBtzPNyc1v2b4m.exe
2264	xwkIVrlONx0c1b3.exe
356	AXwjUCelIrPyAuS.exe
2568	RWK7fEL9gZjCkVl.exe
1616	ZsQJ6dEK8R9TwUe.exe
1732	p4amH6sWJfLgZhC.exe
2436	G3pmG5aQJdKfLhX.exe
2916	p1ivD3onFaHs.exe
2116	ZyxA0uvS2.exe
2832	T8gRZqhYXkVl.exe
2204	F5aQH6dWKfLgXjC.exe
2852	FnF4pmH5sJdKgZh.exe
2320	F2ibD3pnGaHsKfL.exe
2892	E9hYXwjUVlBzNc1.exe
2652	uQH6sWK7f.exe
2356	PUVelOBtz0c1v2n.exe
2700	xXqjYCekIrOtAuS.exe
3060	qZ9hYXwjUeItPyA.exe
3032	tWK7fEL9gZjCk.exe
3008	HcA1uvD2oFpGsJd.exe
3044	XL9gTZqjYwIrOtP.exe
840	hJ6dEK8fR9TwUeI.exe
2368	yNtxP0ucSiDoGaH.exe
2344	fXwjUCelIr.exe
2100	bbD3onG4aHs.exe
2576	FCelIBrzPyAuSoF.exe
2496	l3onG4amHsJfLgZ.exe
1232	hBtzPNycAuDoFpG.exe
1096	oTZqjYCwkVlNx0.exe
1084	kuvD2obF4m5Q6E.exe
2032	NCwkIVrlOtPuSiD.exe
1692	b8fRZ9hTXjClBz.exe
2472	V0ucS1ibDoGaHsJ.exe
1452	ZXwjUCelIrPyAuS.exe
2056	l7fEL8gTZhCkVlB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1340	2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1340	2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1340	2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1340	2596	66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe	31
PID 1340 wrote to memory of 2116	1340	X7dEL8gRZhXkVlB.exe	32
PID 1340 wrote to memory of 2116	1340	X7dEL8gRZhXkVlB.exe	32
PID 1340 wrote to memory of 2116	1340	X7dEL8gRZhXkVlB.exe	32
PID 1340 wrote to memory of 2116	1340	X7dEL8gRZhXkVlB.exe	32
PID 2116 wrote to memory of 2740	2116	vK8fRL9hTqUeIrO.exe	33
PID 2116 wrote to memory of 2740	2116	vK8fRL9hTqUeIrO.exe	33
PID 2116 wrote to memory of 2740	2116	vK8fRL9hTqUeIrO.exe	33
PID 2116 wrote to memory of 2740	2116	vK8fRL9hTqUeIrO.exe	33
PID 2740 wrote to memory of 2788	2740	BEL8gRZqhXkVlBz.exe	34
PID 2740 wrote to memory of 2788	2740	BEL8gRZqhXkVlBz.exe	34
PID 2740 wrote to memory of 2788	2740	BEL8gRZqhXkVlBz.exe	34
PID 2740 wrote to memory of 2788	2740	BEL8gRZqhXkVlBz.exe	34
PID 2788 wrote to memory of 2844	2788	mfRL9gTXqYeIrOt.exe	35
PID 2788 wrote to memory of 2844	2788	mfRL9gTXqYeIrOt.exe	35
PID 2788 wrote to memory of 2844	2788	mfRL9gTXqYeIrOt.exe	35
PID 2788 wrote to memory of 2844	2788	mfRL9gTXqYeIrOt.exe	35
PID 2844 wrote to memory of 2680	2844	oXwjUVelItPyAuD.exe	36
PID 2844 wrote to memory of 2680	2844	oXwjUVelItPyAuD.exe	36
PID 2844 wrote to memory of 2680	2844	oXwjUVelItPyAuD.exe	36
PID 2844 wrote to memory of 2680	2844	oXwjUVelItPyAuD.exe	36
PID 2680 wrote to memory of 2676	2680	tqjYCwkIVlNx0c1.exe	37
PID 2680 wrote to memory of 2676	2680	tqjYCwkIVlNx0c1.exe	37
PID 2680 wrote to memory of 2676	2680	tqjYCwkIVlNx0c1.exe	37
PID 2680 wrote to memory of 2676	2680	tqjYCwkIVlNx0c1.exe	37
PID 2676 wrote to memory of 2504	2676	aA1uvS2ob3m5Q.exe	38
PID 2676 wrote to memory of 2504	2676	aA1uvS2ob3m5Q.exe	38
PID 2676 wrote to memory of 2504	2676	aA1uvS2ob3m5Q.exe	38
PID 2676 wrote to memory of 2504	2676	aA1uvS2ob3m5Q.exe	38
PID 2504 wrote to memory of 3020	2504	iYCwkUVrlBx0c1v.exe	39
PID 2504 wrote to memory of 3020	2504	iYCwkUVrlBx0c1v.exe	39
PID 2504 wrote to memory of 3020	2504	iYCwkUVrlBx0c1v.exe	39
PID 2504 wrote to memory of 3020	2504	iYCwkUVrlBx0c1v.exe	39
PID 3020 wrote to memory of 1520	3020	HrzONyxA0v2b3n5.exe	40
PID 3020 wrote to memory of 1520	3020	HrzONyxA0v2b3n5.exe	40
PID 3020 wrote to memory of 1520	3020	HrzONyxA0v2b3n5.exe	40
PID 3020 wrote to memory of 1520	3020	HrzONyxA0v2b3n5.exe	40
PID 1520 wrote to memory of 2984	1520	NqhYXwkUVlBz0c1.exe	41
PID 1520 wrote to memory of 2984	1520	NqhYXwkUVlBz0c1.exe	41
PID 1520 wrote to memory of 2984	1520	NqhYXwkUVlBz0c1.exe	41
PID 1520 wrote to memory of 2984	1520	NqhYXwkUVlBz0c1.exe	41
PID 2984 wrote to memory of 1504	2984	SCekIVrzOtAuSiD.exe	42
PID 2984 wrote to memory of 1504	2984	SCekIVrzOtAuSiD.exe	42
PID 2984 wrote to memory of 1504	2984	SCekIVrzOtAuSiD.exe	42
PID 2984 wrote to memory of 1504	2984	SCekIVrzOtAuSiD.exe	42
PID 1504 wrote to memory of 2728	1504	fUVelIBtzNc1v2b.exe	43
PID 1504 wrote to memory of 2728	1504	fUVelIBtzNc1v2b.exe	43
PID 1504 wrote to memory of 2728	1504	fUVelIBtzNc1v2b.exe	43
PID 1504 wrote to memory of 2728	1504	fUVelIBtzNc1v2b.exe	43
PID 2728 wrote to memory of 2380	2728	oucS1ibD3n4.exe	44
PID 2728 wrote to memory of 2380	2728	oucS1ibD3n4.exe	44
PID 2728 wrote to memory of 2380	2728	oucS1ibD3n4.exe	44
PID 2728 wrote to memory of 2380	2728	oucS1ibD3n4.exe	44
PID 2380 wrote to memory of 2492	2380	jelIBtzPNc1v2b4.exe	45
PID 2380 wrote to memory of 2492	2380	jelIBtzPNc1v2b4.exe	45
PID 2380 wrote to memory of 2492	2380	jelIBtzPNc1v2b4.exe	45
PID 2380 wrote to memory of 2492	2380	jelIBtzPNc1v2b4.exe	45
PID 2492 wrote to memory of 1928	2492	FONtxP0uc1b3n4m.exe	46
PID 2492 wrote to memory of 1928	2492	FONtxP0uc1b3n4m.exe	46
PID 2492 wrote to memory of 1928	2492	FONtxP0uc1b3n4m.exe	46
PID 2492 wrote to memory of 1928	2492	FONtxP0uc1b3n4m.exe	46

C:\Users\Admin\AppData\Local\Temp\66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\X7dEL8gRZhXkVlB.exe
  C:\Windows\system32\X7dEL8gRZhXkVlB.exe 5985C:\Users\Admin\AppData\Local\Temp\66613048c0761907dbf89e63a3c2b060_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\vK8fRL9hTqUeIrO.exe
    C:\Windows\system32\vK8fRL9hTqUeIrO.exe 5985C:\Windows\SysWOW64\X7dEL8gRZhXkVlB.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\BEL8gRZqhXkVlBz.exe
      C:\Windows\system32\BEL8gRZqhXkVlBz.exe 5985C:\Windows\SysWOW64\vK8fRL9hTqUeIrO.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\mfRL9gTXqYeIrOt.exe
        
        C:\Windows\system32\mfRL9gTXqYeIrOt.exe 5985C:\Windows\SysWOW64\BEL8gRZqhXkVlBz.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\oXwjUVelItPyAuD.exe
        
        C:\Windows\system32\oXwjUVelItPyAuD.exe 5985C:\Windows\SysWOW64\mfRL9gTXqYeIrOt.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\tqjYCwkIVlNx0c1.exe
        
        C:\Windows\system32\tqjYCwkIVlNx0c1.exe 5985C:\Windows\SysWOW64\oXwjUVelItPyAuD.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\aA1uvS2ob3m5Q.exe
        
        C:\Windows\system32\aA1uvS2ob3m5Q.exe 5985C:\Windows\SysWOW64\tqjYCwkIVlNx0c1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\iYCwkUVrlBx0c1v.exe
        
        C:\Windows\system32\iYCwkUVrlBx0c1v.exe 5985C:\Windows\SysWOW64\aA1uvS2ob3m5Q.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\HrzONyxA0v2b3n5.exe
        
        C:\Windows\system32\HrzONyxA0v2b3n5.exe 5985C:\Windows\SysWOW64\iYCwkUVrlBx0c1v.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\NqhYXwkUVlBz0c1.exe
        
        C:\Windows\system32\NqhYXwkUVlBz0c1.exe 5985C:\Windows\SysWOW64\HrzONyxA0v2b3n5.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\SCekIVrzOtAuSiD.exe
        
        C:\Windows\system32\SCekIVrzOtAuSiD.exe 5985C:\Windows\SysWOW64\NqhYXwkUVlBz0c1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\fUVelIBtzNc1v2b.exe
        
        C:\Windows\system32\fUVelIBtzNc1v2b.exe 5985C:\Windows\SysWOW64\SCekIVrzOtAuSiD.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\oucS1ibD3n4.exe
        
        C:\Windows\system32\oucS1ibD3n4.exe 5985C:\Windows\SysWOW64\fUVelIBtzNc1v2b.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\jelIBtzPNc1v2b4.exe
        
        C:\Windows\system32\jelIBtzPNc1v2b4.exe 5985C:\Windows\SysWOW64\oucS1ibD3n4.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\FONtxP0uc1b3n4m.exe
        
        C:\Windows\system32\FONtxP0uc1b3n4m.exe 5985C:\Windows\SysWOW64\jelIBtzPNc1v2b4.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\hzPNyxA1uSoFpGa.exe
        
        C:\Windows\system32\hzPNyxA1uSoFpGa.exe 5985C:\Windows\SysWOW64\FONtxP0uc1b3n4m.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\monF4amH5W7E8.exe
        
        C:\Windows\system32\monF4amH5W7E8.exe 5985C:\Windows\SysWOW64\hzPNyxA1uSoFpGa.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\sekIBrzONx0v2b3.exe
        
        C:\Windows\system32\sekIBrzONx0v2b3.exe 5985C:\Windows\SysWOW64\monF4amH5W7E8.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Windows\SysWOW64\JwkUVelOBz0c1v2.exe
        
        C:\Windows\system32\JwkUVelOBz0c1v2.exe 5985C:\Windows\SysWOW64\sekIBrzONx0v2b3.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\PK7fRL9gTqYeIrO.exe
        
        C:\Windows\system32\PK7fRL9gTqYeIrO.exe 5985C:\Windows\SysWOW64\JwkUVelOBz0c1v2.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\KF4pmH5sQ7E8R9Y.exe
        
        C:\Windows\system32\KF4pmH5sQ7E8R9Y.exe 5985C:\Windows\SysWOW64\PK7fRL9gTqYeIrO.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\xtxA0ucS2b3n4Q6.exe
        
        C:\Windows\system32\xtxA0ucS2b3n4Q6.exe 5985C:\Windows\SysWOW64\KF4pmH5sQ7E8R9Y.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\xIBtzPNyc1v2b4m.exe
        
        C:\Windows\system32\xIBtzPNyc1v2b4m.exe 5985C:\Windows\SysWOW64\xtxA0ucS2b3n4Q6.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\xwkIVrlONx0c1b3.exe
        
        C:\Windows\system32\xwkIVrlONx0c1b3.exe 5985C:\Windows\SysWOW64\xIBtzPNyc1v2b4m.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\AXwjUCelIrPyAuS.exe
        
        C:\Windows\system32\AXwjUCelIrPyAuS.exe 5985C:\Windows\SysWOW64\xwkIVrlONx0c1b3.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:356
        
        C:\Windows\SysWOW64\RWK7fEL9gZjCkVl.exe
        
        C:\Windows\system32\RWK7fEL9gZjCkVl.exe 5985C:\Windows\SysWOW64\AXwjUCelIrPyAuS.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\ZsQJ6dEK8R9TwUe.exe
        
        C:\Windows\system32\ZsQJ6dEK8R9TwUe.exe 5985C:\Windows\SysWOW64\RWK7fEL9gZjCkVl.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\p4amH6sWJfLgZhC.exe
        
        C:\Windows\system32\p4amH6sWJfLgZhC.exe 5985C:\Windows\SysWOW64\ZsQJ6dEK8R9TwUe.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\G3pmG5aQJdKfLhX.exe
        
        C:\Windows\system32\G3pmG5aQJdKfLhX.exe 5985C:\Windows\SysWOW64\p4amH6sWJfLgZhC.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\p1ivD3onFaHs.exe
        
        C:\Windows\system32\p1ivD3onFaHs.exe 5985C:\Windows\SysWOW64\G3pmG5aQJdKfLhX.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\ZyxA0uvS2.exe
        
        C:\Windows\system32\ZyxA0uvS2.exe 5985C:\Windows\SysWOW64\p1ivD3onFaHs.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\T8gRZqhYXkVl.exe
        
        C:\Windows\system32\T8gRZqhYXkVl.exe 5985C:\Windows\SysWOW64\ZyxA0uvS2.exe
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\F5aQH6dWKfLgXjC.exe
        
        C:\Windows\system32\F5aQH6dWKfLgXjC.exe 5985C:\Windows\SysWOW64\T8gRZqhYXkVl.exe
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\FnF4pmH5sJdKgZh.exe
        
        C:\Windows\system32\FnF4pmH5sJdKgZh.exe 5985C:\Windows\SysWOW64\F5aQH6dWKfLgXjC.exe
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\F2ibD3pnGaHsKfL.exe
        
        C:\Windows\system32\F2ibD3pnGaHsKfL.exe 5985C:\Windows\SysWOW64\FnF4pmH5sJdKgZh.exe
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\E9hYXwjUVlBzNc1.exe
        
        C:\Windows\system32\E9hYXwjUVlBzNc1.exe 5985C:\Windows\SysWOW64\F2ibD3pnGaHsKfL.exe
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\uQH6sWK7f.exe
        
        C:\Windows\system32\uQH6sWK7f.exe 5985C:\Windows\SysWOW64\E9hYXwjUVlBzNc1.exe
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\PUVelOBtz0c1v2n.exe
        
        C:\Windows\system32\PUVelOBtz0c1v2n.exe 5985C:\Windows\SysWOW64\uQH6sWK7f.exe
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\xXqjYCekIrOtAuS.exe
        
        C:\Windows\system32\xXqjYCekIrOtAuS.exe 5985C:\Windows\SysWOW64\PUVelOBtz0c1v2n.exe
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\qZ9hYXwjUeItPyA.exe
        
        C:\Windows\system32\qZ9hYXwjUeItPyA.exe 5985C:\Windows\SysWOW64\xXqjYCekIrOtAuS.exe
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\tWK7fEL9gZjCk.exe
        
        C:\Windows\system32\tWK7fEL9gZjCk.exe 5985C:\Windows\SysWOW64\qZ9hYXwjUeItPyA.exe
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\HcA1uvD2oFpGsJd.exe
        
        C:\Windows\system32\HcA1uvD2oFpGsJd.exe 5985C:\Windows\SysWOW64\tWK7fEL9gZjCk.exe
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\XL9gTZqjYwIrOtP.exe
        
        C:\Windows\system32\XL9gTZqjYwIrOtP.exe 5985C:\Windows\SysWOW64\HcA1uvD2oFpGsJd.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\hJ6dEK8fR9TwUeI.exe
        
        C:\Windows\system32\hJ6dEK8fR9TwUeI.exe 5985C:\Windows\SysWOW64\XL9gTZqjYwIrOtP.exe
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\yNtxP0ucSiDoGaH.exe
        
        C:\Windows\system32\yNtxP0ucSiDoGaH.exe 5985C:\Windows\SysWOW64\hJ6dEK8fR9TwUeI.exe
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\fXwjUCelIr.exe
        
        C:\Windows\system32\fXwjUCelIr.exe 5985C:\Windows\SysWOW64\yNtxP0ucSiDoGaH.exe
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\bbD3onG4aHs.exe
        
        C:\Windows\system32\bbD3onG4aHs.exe 5985C:\Windows\SysWOW64\fXwjUCelIr.exe
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\FCelIBrzPyAuSoF.exe
        
        C:\Windows\system32\FCelIBrzPyAuSoF.exe 5985C:\Windows\SysWOW64\bbD3onG4aHs.exe
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\l3onG4amHsJfLgZ.exe
        
        C:\Windows\system32\l3onG4amHsJfLgZ.exe 5985C:\Windows\SysWOW64\FCelIBrzPyAuSoF.exe
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\hBtzPNycAuDoFpG.exe
        
        C:\Windows\system32\hBtzPNycAuDoFpG.exe 5985C:\Windows\SysWOW64\l3onG4amHsJfLgZ.exe
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\SysWOW64\oTZqjYCwkVlNx0.exe
        
        C:\Windows\system32\oTZqjYCwkVlNx0.exe 5985C:\Windows\SysWOW64\hBtzPNycAuDoFpG.exe
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\kuvD2obF4m5Q6E.exe
        
        C:\Windows\system32\kuvD2obF4m5Q6E.exe 5985C:\Windows\SysWOW64\oTZqjYCwkVlNx0.exe
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\NCwkIVrlOtPuSiD.exe
        
        C:\Windows\system32\NCwkIVrlOtPuSiD.exe 5985C:\Windows\SysWOW64\kuvD2obF4m5Q6E.exe
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\b8fRZ9hTXjClBz.exe
        
        C:\Windows\system32\b8fRZ9hTXjClBz.exe 5985C:\Windows\SysWOW64\NCwkIVrlOtPuSiD.exe
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\V0ucS1ibDoGaHsJ.exe
        
        C:\Windows\system32\V0ucS1ibDoGaHsJ.exe 5985C:\Windows\SysWOW64\b8fRZ9hTXjClBz.exe
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\ZXwjUCelIrPyAuS.exe
        
        C:\Windows\system32\ZXwjUCelIrPyAuS.exe 5985C:\Windows\SysWOW64\V0ucS1ibDoGaHsJ.exe
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\l7fEL8gTZhCkVlB.exe
        
        C:\Windows\system32\l7fEL8gTZhCkVlB.exe 5985C:\Windows\SysWOW64\ZXwjUCelIrPyAuS.exe
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\X7dEL8gRZhXkVlB.exe

Filesize
2.3MB

MD5
66613048c0761907dbf89e63a3c2b060

SHA1
508d73343ad03ea9bb16dc240afa45dbfd7e6fc3

SHA256
12b9716fee979c9f803b760b330973ea69a9d69292461beee0906c70b68e20ec

SHA512
813de5f238ce90ff8793e0a28819c3034e42c367d2318e501ad8fab652c03dda604c47e7869289585de9759d73e0a1721c47f223d52c6a92ef255b29ad8e359e

Download Submit
memory/284-196-0x0000000000250000-0x0000000000371000-memory.dmp

Filesize
1.1MB

Download
memory/284-202-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/356-251-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/356-245-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/848-210-0x0000000002D50000-0x0000000002E71000-memory.dmp

Filesize
1.1MB

Download
memory/848-216-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/992-224-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/992-230-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1032-237-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1032-231-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/1320-203-0x0000000002CC0000-0x0000000002DE1000-memory.dmp

Filesize
1.1MB

Download
memory/1320-209-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1340-14-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1340-25-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1340-13-0x0000000002DF0000-0x0000000002F11000-memory.dmp

Filesize
1.1MB

Download
memory/1340-15-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1504-146-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1504-137-0x0000000002DD0000-0x0000000002EF1000-memory.dmp

Filesize
1.1MB

Download
memory/1520-124-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1520-115-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/1544-223-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1544-217-0x0000000002CB0000-0x0000000002DD1000-memory.dmp

Filesize
1.1MB

Download
memory/1616-259-0x0000000002D90000-0x0000000002EB1000-memory.dmp

Filesize
1.1MB

Download
memory/1616-265-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1632-189-0x0000000002DB0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-195-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1732-266-0x0000000002D50000-0x0000000002E71000-memory.dmp

Filesize
1.1MB

Download
memory/1732-272-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/1928-181-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/1928-188-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2116-27-0x0000000002D60000-0x0000000002E81000-memory.dmp

Filesize
1.1MB

Download
memory/2116-287-0x0000000002DB0000-0x0000000002ED1000-memory.dmp

Filesize
1.1MB

Download
memory/2116-293-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2116-36-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2264-244-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2264-238-0x00000000002D0000-0x00000000003F1000-memory.dmp

Filesize
1.1MB

Download
memory/2380-168-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2380-159-0x0000000002D90000-0x0000000002EB1000-memory.dmp

Filesize
1.1MB

Download
memory/2436-273-0x0000000002CB0000-0x0000000002DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2436-279-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2492-170-0x0000000002D80000-0x0000000002EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2492-179-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2504-93-0x0000000002E30000-0x0000000002F51000-memory.dmp

Filesize
1.1MB

Download
memory/2504-102-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2568-252-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/2568-258-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2596-1-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2596-2-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2596-0-0x0000000002DA0000-0x0000000002EC1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-12-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2676-91-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2676-82-0x0000000002CE0000-0x0000000002E01000-memory.dmp

Filesize
1.1MB

Download
memory/2680-71-0x0000000002CD0000-0x0000000002DF1000-memory.dmp

Filesize
1.1MB

Download
memory/2680-80-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2728-148-0x0000000002E00000-0x0000000002F21000-memory.dmp

Filesize
1.1MB

Download
memory/2728-157-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2740-38-0x0000000002DF0000-0x0000000002F11000-memory.dmp

Filesize
1.1MB

Download
memory/2740-47-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2788-49-0x0000000000FC0000-0x00000000010E1000-memory.dmp

Filesize
1.1MB

Download
memory/2788-58-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2844-60-0x0000000002DC0000-0x0000000002EE1000-memory.dmp

Filesize
1.1MB

Download
memory/2844-69-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2916-280-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/2916-286-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/2984-126-0x0000000002E10000-0x0000000002F31000-memory.dmp

Filesize
1.1MB

Download
memory/2984-135-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download
memory/3020-104-0x0000000000CC0000-0x0000000000DE1000-memory.dmp

Filesize
1.1MB

Download
memory/3020-113-0x0000000000400000-0x0000000000CB2000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads