xtremerat | 314cbea888ce2865a302b9b6a421e7c3ef9873b767d2bf7d769e5df1f8d9dc6e

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 06:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
Size

31KB
MD5

ae3085db3a5f145f8e81b26189a9bbf6
SHA1

b31ef86ac36c0fd684dd990a1a53cdc3d4c1a325
SHA256

314cbea888ce2865a302b9b6a421e7c3ef9873b767d2bf7d769e5df1f8d9dc6e
SHA512

fdba77e3d067584f357efce7423786f7f2d97e9a6f401b1bc86540be35703d3078974d42d74fc19d47d8e72dd36ad4078f9bb06d65c9f139d877c4a7557edba9
SSDEEP

768:vIsF81fG9QveLOYTe5YiIRa1XHCJNl5uI:vIsFw9veLJTouqXHCd5u

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

blacksniper.no-ip.info

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-9-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2476-11-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2476-12-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2476-19-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2784-25-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2740-38-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-51-0x0000000002590000-0x00000000025AD000-memory.dmp	family_xtremerat
behavioral1/memory/2384-50-0x0000000002590000-0x00000000025AD000-memory.dmp	family_xtremerat
behavioral1/memory/2128-45-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/668-60-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2972-59-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1572-63-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1964-67-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/668-84-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/668-86-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1860-92-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1860-97-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2388-100-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/788-107-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/788-104-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-112-0x0000000002E80000-0x0000000002E9D000-memory.dmp	family_xtremerat
behavioral1/memory/2360-119-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1868-124-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-134-0x0000000002E30000-0x0000000002E4D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-133-0x0000000002E80000-0x0000000002E9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-132-0x0000000002E80000-0x0000000002E9D000-memory.dmp	family_xtremerat
behavioral1/memory/2772-128-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2940-140-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2896-146-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2896-144-0x00000000033D0000-0x00000000033ED000-memory.dmp	family_xtremerat
behavioral1/memory/2896-142-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/624-156-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/624-153-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-162-0x00000000030F0000-0x000000000310D000-memory.dmp	family_xtremerat
behavioral1/memory/2996-166-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3024-170-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/984-172-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2744-181-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1516-185-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2080-187-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/996-194-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/996-196-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2328-200-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2112-205-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3280-206-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3300-211-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3196-213-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3092-214-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3092-216-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3280-220-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3476-224-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3568-228-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3736-232-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3840-236-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/2384-240-0x00000000047A0000-0x00000000047BD000-memory.dmp	family_xtremerat
behavioral1/memory/3984-245-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3984-243-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3084-249-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3084-251-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3140-256-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3372-260-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/3508-265-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat
behavioral1/memory/1700-266-0x0000000000C80000-0x0000000000C9D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q758KC88-45R8-5336-8782-RB442NMV103V}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe restart"	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2784	cmd.exe
2740	cmd.exe
2128	cmd.exe
2972	cmd.exe
1964	cmd.exe
1572	cmd.exe
668	cmd.exe
1860	cmd.exe
788	cmd.exe
2388	cmd.exe
2360	cmd.exe
1868	cmd.exe
2772	cmd.exe
2896	cmd.exe
624	cmd.exe
2940	cmd.exe
2996	cmd.exe
3024	cmd.exe
984	cmd.exe
2744	cmd.exe
2080	cmd.exe
1516	cmd.exe
996	cmd.exe
2328	cmd.exe
2112	cmd.exe
3092	cmd.exe
3196	cmd.exe
3280	cmd.exe
3300	cmd.exe
3476	cmd.exe
3568	cmd.exe
3736	cmd.exe
3840	cmd.exe
3984	cmd.exe
3084	cmd.exe
3140	cmd.exe
3372	cmd.exe
3508	cmd.exe
920	cmd.exe
3740	cmd.exe
1700	cmd.exe
3504	cmd.exe
3976	cmd.exe
3984	cmd.exe
3300	cmd.exe
4020	cmd.exe
4132	cmd.exe
4184	cmd.exe
4352	cmd.exe
4432	cmd.exe
4604	cmd.exe
4684	cmd.exe
4732	cmd.exe
4932	cmd.exe
5012	cmd.exe
5088	cmd.exe
4148	cmd.exe
4376	cmd.exe
4784	cmd.exe
5008	cmd.exe
5104	cmd.exe
4992	cmd.exe
4772	cmd.exe
4752	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
2784	cmd.exe
2384	svchost.exe
2384	svchost.exe
2740	cmd.exe
2128	cmd.exe
2384	svchost.exe
2384	svchost.exe
2972	cmd.exe
1964	cmd.exe
2384	svchost.exe
2384	svchost.exe
668	cmd.exe
1860	cmd.exe
788	cmd.exe
2384	svchost.exe
2384	svchost.exe
1868	cmd.exe
2772	cmd.exe
2384	svchost.exe
2384	svchost.exe
2896	cmd.exe
624	cmd.exe
2384	svchost.exe
2384	svchost.exe
2996	cmd.exe
984	cmd.exe
2384	svchost.exe
2384	svchost.exe
2744	cmd.exe
2080	cmd.exe
2384	svchost.exe
2384	svchost.exe
996	cmd.exe
2328	cmd.exe
2112	cmd.exe
2384	svchost.exe
2384	svchost.exe
3092	cmd.exe
3280	cmd.exe
3476	cmd.exe
3568	cmd.exe
3736	cmd.exe
3840	cmd.exe
2384	svchost.exe
2384	svchost.exe
3984	cmd.exe
3084	cmd.exe
3140	cmd.exe
3372	cmd.exe
3508	cmd.exe
2384	svchost.exe
2384	svchost.exe
3740	cmd.exe
1700	cmd.exe
2384	svchost.exe
3504	cmd.exe
2384	svchost.exe
3984	cmd.exe
2384	svchost.exe
2384	svchost.exe
4132	cmd.exe
4184	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2384-9-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/files/0x0008000000019444-10.dat	upx
behavioral1/memory/2476-11-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2476-12-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2476-15-0x0000000003DF0000-0x0000000003E0D000-memory.dmp	upx
behavioral1/memory/2476-19-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2784-25-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2128-33-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2384-32-0x0000000002590000-0x00000000025AD000-memory.dmp	upx
behavioral1/memory/2740-38-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2384-50-0x0000000002590000-0x00000000025AD000-memory.dmp	upx
behavioral1/memory/2128-45-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/668-60-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2972-59-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1572-63-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1964-67-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1860-69-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/668-84-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/668-86-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1860-92-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1860-97-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2388-100-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/788-107-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1868-105-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/788-104-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2360-119-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1868-124-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2384-132-0x0000000002E80000-0x0000000002E9D000-memory.dmp	upx
behavioral1/memory/2772-128-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2940-140-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2896-146-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2896-142-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/624-156-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/624-153-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/624-152-0x00000000034A0000-0x00000000034BD000-memory.dmp	upx
behavioral1/memory/2384-161-0x00000000030F0000-0x000000000310D000-memory.dmp	upx
behavioral1/memory/2996-166-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3024-170-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/984-172-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2744-181-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/1516-185-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2080-187-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/996-194-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/996-196-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2328-200-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3196-201-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2112-205-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3280-206-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3300-211-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3196-213-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3092-214-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3092-216-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3280-220-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3476-224-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3568-228-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3736-232-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3840-236-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/2384-240-0x00000000047A0000-0x00000000047BD000-memory.dmp	upx
behavioral1/memory/3984-245-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3984-243-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3084-249-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3084-251-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx
behavioral1/memory/3140-256-0x0000000000C80000-0x0000000000C9D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\cmd.exe"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2384	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2384	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2384	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2384	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2384	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1336	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1336	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1336	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1336	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1336	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2056	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2056	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2056	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2056	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2056	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	33
PID 2476 wrote to memory of 1728	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	34
PID 2476 wrote to memory of 1728	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	34
PID 2476 wrote to memory of 1728	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	34
PID 2476 wrote to memory of 1728	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	34
PID 2476 wrote to memory of 1728	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	34
PID 2476 wrote to memory of 2884	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	35
PID 2476 wrote to memory of 2884	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	35
PID 2476 wrote to memory of 2884	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	35
PID 2476 wrote to memory of 2884	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	35
PID 2476 wrote to memory of 2884	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	35
PID 2476 wrote to memory of 2200	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	36
PID 2476 wrote to memory of 2200	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	36
PID 2476 wrote to memory of 2200	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	36
PID 2476 wrote to memory of 2200	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	36
PID 2476 wrote to memory of 2200	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	36
PID 2476 wrote to memory of 2168	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	37
PID 2476 wrote to memory of 2168	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	37
PID 2476 wrote to memory of 2168	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	37
PID 2476 wrote to memory of 2168	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	37
PID 2476 wrote to memory of 2168	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	37
PID 2476 wrote to memory of 2708	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	38
PID 2476 wrote to memory of 2708	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	38
PID 2476 wrote to memory of 2708	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	38
PID 2476 wrote to memory of 2708	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	38
PID 2476 wrote to memory of 2708	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	38
PID 2476 wrote to memory of 2672	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	39
PID 2476 wrote to memory of 2672	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	39
PID 2476 wrote to memory of 2672	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	39
PID 2476 wrote to memory of 2672	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	39
PID 2476 wrote to memory of 2784	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	40
PID 2476 wrote to memory of 2784	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	40
PID 2476 wrote to memory of 2784	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	40
PID 2476 wrote to memory of 2784	2476	ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe	40
PID 2784 wrote to memory of 2992	2784	cmd.exe	41
PID 2784 wrote to memory of 2992	2784	cmd.exe	41
PID 2784 wrote to memory of 2992	2784	cmd.exe	41
PID 2784 wrote to memory of 2992	2784	cmd.exe	41
PID 2784 wrote to memory of 2992	2784	cmd.exe	41
PID 2784 wrote to memory of 1296	2784	cmd.exe	42
PID 2784 wrote to memory of 1296	2784	cmd.exe	42
PID 2784 wrote to memory of 1296	2784	cmd.exe	42
PID 2784 wrote to memory of 1296	2784	cmd.exe	42
PID 2784 wrote to memory of 1296	2784	cmd.exe	42
PID 2784 wrote to memory of 2684	2784	cmd.exe	43
PID 2784 wrote to memory of 2684	2784	cmd.exe	43
PID 2784 wrote to memory of 2684	2784	cmd.exe	43
PID 2784 wrote to memory of 2684	2784	cmd.exe	43
PID 2784 wrote to memory of 2684	2784	cmd.exe	43
PID 2784 wrote to memory of 2252	2784	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae3085db3a5f145f8e81b26189a9bbf6_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2128
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1648
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1124
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2960
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1964
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3064
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1536
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2104
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2376
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2536
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1412
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:284
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2980
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:896
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:788
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1032
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2788
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2444
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1344
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1784
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3740
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2760
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2736
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1228
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:704
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1420
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2144
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2556
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2204
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3032
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2312
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:112
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2080
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:780
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1176
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1612
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3248
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2932
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3024
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:348
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3280
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3376
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3412
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3432
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3468
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3524
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:5448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:5488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:5504
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3300
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2328
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3348
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3132
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3764
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1620
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3860
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2676
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3372
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4220
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4240
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4256
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4312
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4332
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4432
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4472
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4492
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4508
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4528
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4564
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4760
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4344
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4204
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4460
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5084
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1928
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4420
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4412
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      PID:4992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4952
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4184
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5016
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:4888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5168
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5188
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      PID:5240
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5296
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5404
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5460
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5480
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5736
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5436
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5268
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:5552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5612
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5636
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5864
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5924
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5960
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6032
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5744
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6012
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6028
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6072
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6108
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        
        PID:5080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5564
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    PID:5552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5912
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6100
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    PID:5140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5456
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1336
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2056
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1728
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2884
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2200
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2168
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2708
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2992
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1296
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2684
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2252
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2860
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2972
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2964
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2172
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2152
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2188
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:912
    - - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallDir\cmd.exe

Filesize
31KB

MD5
ae3085db3a5f145f8e81b26189a9bbf6

SHA1
b31ef86ac36c0fd684dd990a1a53cdc3d4c1a325

SHA256
314cbea888ce2865a302b9b6a421e7c3ef9873b767d2bf7d769e5df1f8d9dc6e

SHA512
fdba77e3d067584f357efce7423786f7f2d97e9a6f401b1bc86540be35703d3078974d42d74fc19d47d8e72dd36ad4078f9bb06d65c9f139d877c4a7557edba9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
a89279eb5461c59834f110113741402f

SHA1
f5d30a83e82107e33795b5c8ad0ede0fa701303e

SHA256
b322dfe402fdd532c1e62d3ad2b6ca59bb5741ef828f537691cf03cf9be22df2

SHA512
9aa3693492c110825187ea20322f89ab2456ffe54b4ca8dda342f8df9f14e82b0ec3359b87d502761f30de2ba636c55786d20e190c928f8845c964eaa2fe2666

Download Submit
memory/624-156-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/624-153-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/624-152-0x00000000034A0000-0x00000000034BD000-memory.dmp

Filesize
116KB

Download
memory/668-60-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/668-84-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/668-86-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/668-83-0x00000000035A0000-0x00000000035BD000-memory.dmp

Filesize
116KB

Download
memory/788-102-0x00000000034C0000-0x00000000034DD000-memory.dmp

Filesize
116KB

Download
memory/788-107-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/788-104-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/920-270-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/984-172-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/996-194-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/996-193-0x0000000003460000-0x000000000347D000-memory.dmp

Filesize
116KB

Download
memory/996-196-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1516-185-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1572-63-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1700-266-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1860-97-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1860-69-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1860-92-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1868-124-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1868-105-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/1868-122-0x0000000003460000-0x000000000347D000-memory.dmp

Filesize
116KB

Download
memory/1964-67-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2080-187-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2112-205-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2128-43-0x0000000003560000-0x000000000357D000-memory.dmp

Filesize
116KB

Download
memory/2128-45-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2128-33-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2328-200-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2360-119-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2384-94-0x0000000002A20000-0x0000000002A3D000-memory.dmp

Filesize
116KB

Download
memory/2384-240-0x00000000047A0000-0x00000000047BD000-memory.dmp

Filesize
116KB

Download
memory/2384-8-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2384-74-0x0000000002A20000-0x0000000002A3D000-memory.dmp

Filesize
116KB

Download
memory/2384-75-0x0000000002A20000-0x0000000002A3D000-memory.dmp

Filesize
116KB

Download
memory/2384-76-0x0000000002890000-0x00000000028AD000-memory.dmp

Filesize
116KB

Download
memory/2384-49-0x0000000002890000-0x00000000028AD000-memory.dmp

Filesize
116KB

Download
memory/2384-111-0x0000000002E80000-0x0000000002E9D000-memory.dmp

Filesize
116KB

Download
memory/2384-112-0x0000000002E80000-0x0000000002E9D000-memory.dmp

Filesize
116KB

Download
memory/2384-50-0x0000000002590000-0x00000000025AD000-memory.dmp

Filesize
116KB

Download
memory/2384-51-0x0000000002590000-0x00000000025AD000-memory.dmp

Filesize
116KB

Download
memory/2384-9-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2384-134-0x0000000002E30000-0x0000000002E4D000-memory.dmp

Filesize
116KB

Download
memory/2384-133-0x0000000002E80000-0x0000000002E9D000-memory.dmp

Filesize
116KB

Download
memory/2384-132-0x0000000002E80000-0x0000000002E9D000-memory.dmp

Filesize
116KB

Download
memory/2384-190-0x0000000004510000-0x000000000452D000-memory.dmp

Filesize
116KB

Download
memory/2384-254-0x00000000047A0000-0x00000000047BD000-memory.dmp

Filesize
116KB

Download
memory/2384-239-0x00000000047A0000-0x00000000047BD000-memory.dmp

Filesize
116KB

Download
memory/2384-175-0x00000000030F0000-0x000000000310D000-memory.dmp

Filesize
116KB

Download
memory/2384-95-0x0000000002A20000-0x0000000002A3D000-memory.dmp

Filesize
116KB

Download
memory/2384-32-0x0000000002590000-0x00000000025AD000-memory.dmp

Filesize
116KB

Download
memory/2384-154-0x0000000002E30000-0x0000000002E4D000-memory.dmp

Filesize
116KB

Download
memory/2384-176-0x00000000030F0000-0x000000000310D000-memory.dmp

Filesize
116KB

Download
memory/2384-161-0x00000000030F0000-0x000000000310D000-memory.dmp

Filesize
116KB

Download
memory/2384-162-0x00000000030F0000-0x000000000310D000-memory.dmp

Filesize
116KB

Download
memory/2388-100-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2476-11-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2476-15-0x0000000003DF0000-0x0000000003E0D000-memory.dmp

Filesize
116KB

Download
memory/2476-17-0x0000000003DF0000-0x0000000003E0D000-memory.dmp

Filesize
116KB

Download
memory/2476-0-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2476-12-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2476-19-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2740-38-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2744-181-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2744-179-0x00000000033B0000-0x00000000033CD000-memory.dmp

Filesize
116KB

Download
memory/2772-128-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2784-25-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2784-23-0x0000000003460000-0x000000000347D000-memory.dmp

Filesize
116KB

Download
memory/2896-144-0x00000000033D0000-0x00000000033ED000-memory.dmp

Filesize
116KB

Download
memory/2896-142-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2896-146-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2940-140-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2972-59-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/2972-56-0x0000000003450000-0x000000000346D000-memory.dmp

Filesize
116KB

Download
memory/2996-166-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3024-170-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3084-248-0x00000000034B0000-0x00000000034CD000-memory.dmp

Filesize
116KB

Download
memory/3084-251-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3084-249-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3092-216-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3092-214-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3140-256-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3196-201-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3196-213-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3280-206-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3280-220-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3300-298-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3300-211-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3372-260-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3476-224-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3508-263-0x00000000035B0000-0x00000000035CD000-memory.dmp

Filesize
116KB

Download
memory/3508-265-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3568-228-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3736-232-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3740-273-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3740-275-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3840-236-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3984-243-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/3984-245-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download
memory/5088-348-0x0000000000C80000-0x0000000000C9D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads