dbfa62dbc4e6db7006009e5c59b7e7fb7665d918eadd2f5d73724c9e4f628160

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
Size

556KB
MD5

856affc31c3958d297ea725b643655e7
SHA1

57c4b6013d8e17a14a4c696c688ba5de68144efe
SHA256

dbfa62dbc4e6db7006009e5c59b7e7fb7665d918eadd2f5d73724c9e4f628160
SHA512

da4b6de960b5ea975c417074a6aa29ae9a5679f0d5cd34f2752d9636571d2b378648db81d5d128b5acba725dd64388013205e87ecd21dce37b4d0d274cfccb9c
SSDEEP

12288:0Z/db/+1xBFf1IfSKyiRVnuDCHFUcYnY/kjDx1anrpukz/niMFP60:0Rd21xB/0Mi/PHFUKcjXgpukeM9

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 48 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Windows\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Windows\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1W7A2D2S-S57D-63O0-50IY-830O4LL482CQ}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe restart"	svchost.exe

Executes dropped EXE 46 IoCs

pid	Process
3360	Newr.exe
2192	Newr.exe
1756	Newr.exe
5032	Newr.exe
3764	Newr.exe
4020	Newr.exe
884	Newr.exe
3780	Newr.exe
2488	Newr.exe
4528	Newr.exe
2408	Newr.exe
872	Newr.exe
1228	Newr.exe
2184	Newr.exe
3608	Newr.exe
4856	Newr.exe
4868	Newr.exe
1972	Newr.exe
2564	Newr.exe
836	Newr.exe
3752	Newr.exe
1088	Newr.exe
1612	Newr.exe
1264	Newr.exe
4968	Newr.exe
116	Newr.exe
2564	Newr.exe
1160	Newr.exe
2280	Newr.exe
4076	Newr.exe
2240	Newr.exe
1920	Newr.exe
4996	Newr.exe
4780	Newr.exe
4316	Newr.exe
4860	Newr.exe
2460	Newr.exe
3428	Newr.exe
3312	Newr.exe
4952	Newr.exe
4816	Newr.exe
3508	Newr.exe
4112	Newr.exe
4624	Newr.exe
3740	Newr.exe
968	Newr.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3752-10-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-11-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-9-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-16-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-18-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-17-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2264-21-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-22-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3752-23-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1040-37-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1040-38-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1040-40-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1040-36-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1040-42-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2908-61-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2908-63-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/632-82-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/632-84-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\New\\Newr.exe"	svchost.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3952 set thread context of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3360 set thread context of 2192	3360	Newr.exe	104
PID 2192 set thread context of 1040	2192	Newr.exe	105
PID 1756 set thread context of 5032	1756	Newr.exe	109
PID 5032 set thread context of 2908	5032	Newr.exe	110
PID 3764 set thread context of 4020	3764	Newr.exe	112
PID 4020 set thread context of 632	4020	Newr.exe	113
PID 884 set thread context of 3780	884	Newr.exe	115
PID 3780 set thread context of 4856	3780	Newr.exe	116
PID 2488 set thread context of 4528	2488	Newr.exe	119
PID 4528 set thread context of 1764	4528	Newr.exe	120
PID 2408 set thread context of 872	2408	Newr.exe	124
PID 872 set thread context of 868	872	Newr.exe	125
PID 1228 set thread context of 2184	1228	Newr.exe	127
PID 2184 set thread context of 4960	2184	Newr.exe	128
PID 3608 set thread context of 4856	3608	Newr.exe	130
PID 4856 set thread context of 4860	4856	Newr.exe	131
PID 4868 set thread context of 1972	4868	Newr.exe	133
PID 1972 set thread context of 2796	1972	Newr.exe	134
PID 2564 set thread context of 836	2564	Newr.exe	136
PID 836 set thread context of 1900	836	Newr.exe	137
PID 3752 set thread context of 1088	3752	Newr.exe	140
PID 1088 set thread context of 1776	1088	Newr.exe	141
PID 1612 set thread context of 1264	1612	Newr.exe	143
PID 1264 set thread context of 4500	1264	Newr.exe	144
PID 4968 set thread context of 116	4968	Newr.exe	146
PID 116 set thread context of 4768	116	Newr.exe	147
PID 2564 set thread context of 1160	2564	Newr.exe	149
PID 1160 set thread context of 1920	1160	Newr.exe	150
PID 2280 set thread context of 4076	2280	Newr.exe	152
PID 4076 set thread context of 1892	4076	Newr.exe	153
PID 2240 set thread context of 1920	2240	Newr.exe	163
PID 1920 set thread context of 3132	1920	Newr.exe	164
PID 4996 set thread context of 4780	4996	Newr.exe	166
PID 4780 set thread context of 2236	4780	Newr.exe	167
PID 4316 set thread context of 4860	4316	Newr.exe	169
PID 4860 set thread context of 2080	4860	Newr.exe	170
PID 2460 set thread context of 3428	2460	Newr.exe	172
PID 3428 set thread context of 2552	3428	Newr.exe	173
PID 3312 set thread context of 4952	3312	Newr.exe	175
PID 4952 set thread context of 2564	4952	Newr.exe	176
PID 4816 set thread context of 3508	4816	Newr.exe	178
PID 3508 set thread context of 3932	3508	Newr.exe	179
PID 4112 set thread context of 4624	4112	Newr.exe	181
PID 4624 set thread context of 2472	4624	Newr.exe	182
PID 3740 set thread context of 968	3740	Newr.exe	187
PID 968 set thread context of 928	968	Newr.exe	188

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File opened for modification	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe
File created	C:\Windows\New\Newr.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newr.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
3752	svchost.exe
3360	Newr.exe
1040	svchost.exe
1756	Newr.exe
2908	svchost.exe
3764	Newr.exe
632	svchost.exe
884	Newr.exe
4856	svchost.exe
2488	Newr.exe
1764	svchost.exe
2408	Newr.exe
868	svchost.exe
1228	Newr.exe
4960	svchost.exe
3608	Newr.exe
4860	svchost.exe
4868	Newr.exe
2796	svchost.exe
2564	Newr.exe
1900	svchost.exe
3752	Newr.exe
1776	svchost.exe
1612	Newr.exe
4500	svchost.exe
4968	Newr.exe
4768	svchost.exe
2564	Newr.exe
1920	svchost.exe
2280	Newr.exe
1892	svchost.exe
2240	Newr.exe
4996	Newr.exe
2236	svchost.exe
4316	Newr.exe
2080	svchost.exe
2460	Newr.exe
2552	svchost.exe
3312	Newr.exe
2564	svchost.exe
4816	Newr.exe
3932	svchost.exe
4112	Newr.exe
2472	svchost.exe
3740	Newr.exe
928	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3416 wrote to memory of 3952	3416	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	94
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3952 wrote to memory of 3752	3952	856affc31c3958d297ea725b643655e7_JaffaCakes118.exe	95
PID 3752 wrote to memory of 2264	3752	svchost.exe	96
PID 3752 wrote to memory of 2264	3752	svchost.exe	96
PID 3752 wrote to memory of 2264	3752	svchost.exe	96
PID 3752 wrote to memory of 2264	3752	svchost.exe	96
PID 2264 wrote to memory of 3360	2264	svchost.exe	103
PID 2264 wrote to memory of 3360	2264	svchost.exe	103
PID 2264 wrote to memory of 3360	2264	svchost.exe	103
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 3360 wrote to memory of 2192	3360	Newr.exe	104
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2192 wrote to memory of 1040	2192	Newr.exe	105
PID 2264 wrote to memory of 1756	2264	svchost.exe	108
PID 2264 wrote to memory of 1756	2264	svchost.exe	108
PID 2264 wrote to memory of 1756	2264	svchost.exe	108
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109
PID 1756 wrote to memory of 5032	1756	Newr.exe	109

C:\Users\Admin\AppData\Local\Temp\856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\856affc31c3958d297ea725b643655e7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\856affc31c3958d297ea725b643655e7_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1040
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2908
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3764
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:632
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:884
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4856
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1764
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:868
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1228
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4960
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3608
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4860
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4868
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2796
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1900
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3752
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1776
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4968
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4768
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2564
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1920
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1892
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:3132
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4996
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2236
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4316
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2080
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3428
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2552
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3312
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2564
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4816
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3508
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3932
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4112
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2472
    - - C:\Windows\New\Newr.exe
        
        "C:\Windows\New\Newr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3740
      - C:\Windows\New\Newr.exe
        
        C:\Windows\New\Newr.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\New\Newr.exe

Filesize
556KB

MD5
856affc31c3958d297ea725b643655e7

SHA1
57c4b6013d8e17a14a4c696c688ba5de68144efe

SHA256
dbfa62dbc4e6db7006009e5c59b7e7fb7665d918eadd2f5d73724c9e4f628160

SHA512
da4b6de960b5ea975c417074a6aa29ae9a5679f0d5cd34f2752d9636571d2b378648db81d5d128b5acba725dd64388013205e87ecd21dce37b4d0d274cfccb9c

Download Submit
memory/632-82-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/632-84-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/884-86-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/884-92-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/1040-38-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1040-42-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1040-37-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1040-36-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1040-40-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1228-155-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/1612-260-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/1756-50-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2192-41-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2240-342-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2264-21-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2280-322-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2408-135-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2408-129-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2460-397-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2488-113-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2564-301-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2564-218-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/2908-63-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2908-61-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3312-418-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3360-31-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3416-7-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3416-0-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3608-176-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3740-476-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3752-232-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3752-239-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3752-10-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-11-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-9-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-16-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-23-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-22-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-17-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3752-18-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3764-65-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3764-71-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/3780-97-0x0000000000540000-0x0000000000609000-memory.dmp

Filesize
804KB

Download
memory/3952-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-5-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4020-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4112-459-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/4316-377-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/4816-439-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/4868-197-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/4968-281-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/4996-356-0x0000000000400000-0x00000000005A7150-memory.dmp

Filesize
1.7MB

Download
memory/5032-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads