53b344f6557bcf013ec2f7bc87c490c4d565ef0c1bebdddf66be9536e38493d1

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
Size

238KB
MD5

c0b6ad65dd559b72bc3e8ac9a0931a49
SHA1

0fdac98ec965cee92e3fe11e6b9eb7a40a98dab6
SHA256

53b344f6557bcf013ec2f7bc87c490c4d565ef0c1bebdddf66be9536e38493d1
SHA512

5d7288b4619b10fd25590f69c32ee0bf56b6011f4e2e4c73c18e651bca85b60d318a4bf2ef4e528b555c8e56e81330f93cea262e76d14640e29026e176b2e6c3
SSDEEP

6144:DzIdQq3Jh/Z0n9jqvqmgmreXT0M0NrhSfwqMGy:DziQq3Jh4jqvq6eD0rrh9My

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2240	iplog.exe
2776	iplog.exe
2736	iplog.exe
2792	iplog.exe
2796	iplog.exe
2696	iplog.exe
1428	iplog.exe
588	iplog.exe
1496	iplog.exe
2944	iplog.exe
2812	iplog.exe
1084	iplog.exe
736	iplog.exe
1716	iplog.exe
1728	iplog.exe
2808	iplog.exe
2156	iplog.exe
2332	iplog.exe
1552	iplog.exe
2144	iplog.exe
2020	iplog.exe
1740	iplog.exe
1464	iplog.exe
1752	iplog.exe
1732	iplog.exe
1800	iplog.exe
904	iplog.exe
1192	iplog.exe
2168	iplog.exe
2972	iplog.exe
2096	iplog.exe
3048	iplog.exe
1560	iplog.exe
2200	iplog.exe
2356	iplog.exe
2564	iplog.exe
2304	iplog.exe
2896	iplog.exe
2784	iplog.exe
2980	iplog.exe
2948	iplog.exe
1028	iplog.exe
2632	iplog.exe
2684	iplog.exe
2716	iplog.exe
2264	iplog.exe
1952	iplog.exe
1488	iplog.exe
588	iplog.exe
1764	iplog.exe
1496	iplog.exe
1536	iplog.exe
880	iplog.exe
1620	iplog.exe
2964	iplog.exe
1976	iplog.exe
2324	iplog.exe
2308	iplog.exe
936	iplog.exe
2172	iplog.exe
572	iplog.exe
2156	iplog.exe
1928	iplog.exe
2540	iplog.exe

Loads dropped DLL 64 IoCs

pid	Process
2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
2240	iplog.exe
2240	iplog.exe
2776	iplog.exe
2776	iplog.exe
2736	iplog.exe
2736	iplog.exe
2792	iplog.exe
2792	iplog.exe
2796	iplog.exe
2796	iplog.exe
2696	iplog.exe
2696	iplog.exe
1428	iplog.exe
1428	iplog.exe
588	iplog.exe
588	iplog.exe
1496	iplog.exe
1496	iplog.exe
2944	iplog.exe
2944	iplog.exe
2812	iplog.exe
2812	iplog.exe
1084	iplog.exe
1084	iplog.exe
736	iplog.exe
736	iplog.exe
1716	iplog.exe
1716	iplog.exe
1728	iplog.exe
1728	iplog.exe
2808	iplog.exe
2808	iplog.exe
2156	iplog.exe
2156	iplog.exe
2332	iplog.exe
2332	iplog.exe
1552	iplog.exe
1552	iplog.exe
2144	iplog.exe
2144	iplog.exe
2020	iplog.exe
2020	iplog.exe
1740	iplog.exe
1740	iplog.exe
1464	iplog.exe
1464	iplog.exe
1752	iplog.exe
1752	iplog.exe
1732	iplog.exe
1732	iplog.exe
1800	iplog.exe
1800	iplog.exe
904	iplog.exe
904	iplog.exe
1192	iplog.exe
1192	iplog.exe
2168	iplog.exe
2168	iplog.exe
2972	iplog.exe
2972	iplog.exe
2096	iplog.exe
2096	iplog.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/files/0x0008000000018eb8-6.dat	upx
behavioral1/memory/2240-17-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2256-15-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2240-27-0x0000000001F30000-0x0000000001FD3000-memory.dmp	upx
behavioral1/memory/2240-30-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2776-32-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2736-45-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2776-44-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2792-58-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2736-57-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2792-69-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2696-82-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2796-80-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1428-94-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2696-92-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1428-105-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1496-118-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/588-116-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1496-127-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2944-129-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2944-139-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1084-147-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2812-146-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1084-152-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/736-153-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/736-158-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1716-163-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2808-169-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1728-168-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2156-176-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2808-175-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1716-182-0x0000000002C70000-0x0000000002D13000-memory.dmp	upx
behavioral1/memory/2156-181-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2332-188-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1552-189-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1552-194-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2144-195-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2144-200-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1740-205-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2020-204-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1740-210-0x0000000001F60000-0x0000000002003000-memory.dmp	upx
behavioral1/memory/1740-211-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1464-212-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1464-217-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1732-224-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1752-223-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1732-230-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1800-235-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/904-240-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1192-245-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2168-250-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2096-256-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2972-255-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2096-261-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/3048-266-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1560-271-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2200-276-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2564-282-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2356-281-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2304-288-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2564-287-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2304-293-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2784-299-0x0000000000400000-0x00000000004A3000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File created	C:\Windows\sk.exe	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2240	2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2240	2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2240	2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2240	2256	c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2776	2240	iplog.exe	30
PID 2240 wrote to memory of 2776	2240	iplog.exe	30
PID 2240 wrote to memory of 2776	2240	iplog.exe	30
PID 2240 wrote to memory of 2776	2240	iplog.exe	30
PID 2776 wrote to memory of 2736	2776	iplog.exe	31
PID 2776 wrote to memory of 2736	2776	iplog.exe	31
PID 2776 wrote to memory of 2736	2776	iplog.exe	31
PID 2776 wrote to memory of 2736	2776	iplog.exe	31
PID 2736 wrote to memory of 2792	2736	iplog.exe	32
PID 2736 wrote to memory of 2792	2736	iplog.exe	32
PID 2736 wrote to memory of 2792	2736	iplog.exe	32
PID 2736 wrote to memory of 2792	2736	iplog.exe	32
PID 2792 wrote to memory of 2796	2792	iplog.exe	33
PID 2792 wrote to memory of 2796	2792	iplog.exe	33
PID 2792 wrote to memory of 2796	2792	iplog.exe	33
PID 2792 wrote to memory of 2796	2792	iplog.exe	33
PID 2796 wrote to memory of 2696	2796	iplog.exe	34
PID 2796 wrote to memory of 2696	2796	iplog.exe	34
PID 2796 wrote to memory of 2696	2796	iplog.exe	34
PID 2796 wrote to memory of 2696	2796	iplog.exe	34
PID 2696 wrote to memory of 1428	2696	iplog.exe	35
PID 2696 wrote to memory of 1428	2696	iplog.exe	35
PID 2696 wrote to memory of 1428	2696	iplog.exe	35
PID 2696 wrote to memory of 1428	2696	iplog.exe	35
PID 1428 wrote to memory of 588	1428	iplog.exe	36
PID 1428 wrote to memory of 588	1428	iplog.exe	36
PID 1428 wrote to memory of 588	1428	iplog.exe	36
PID 1428 wrote to memory of 588	1428	iplog.exe	36
PID 588 wrote to memory of 1496	588	iplog.exe	37
PID 588 wrote to memory of 1496	588	iplog.exe	37
PID 588 wrote to memory of 1496	588	iplog.exe	37
PID 588 wrote to memory of 1496	588	iplog.exe	37
PID 1496 wrote to memory of 2944	1496	iplog.exe	38
PID 1496 wrote to memory of 2944	1496	iplog.exe	38
PID 1496 wrote to memory of 2944	1496	iplog.exe	38
PID 1496 wrote to memory of 2944	1496	iplog.exe	38
PID 2944 wrote to memory of 2812	2944	iplog.exe	39
PID 2944 wrote to memory of 2812	2944	iplog.exe	39
PID 2944 wrote to memory of 2812	2944	iplog.exe	39
PID 2944 wrote to memory of 2812	2944	iplog.exe	39
PID 2812 wrote to memory of 1084	2812	iplog.exe	40
PID 2812 wrote to memory of 1084	2812	iplog.exe	40
PID 2812 wrote to memory of 1084	2812	iplog.exe	40
PID 2812 wrote to memory of 1084	2812	iplog.exe	40
PID 1084 wrote to memory of 736	1084	iplog.exe	41
PID 1084 wrote to memory of 736	1084	iplog.exe	41
PID 1084 wrote to memory of 736	1084	iplog.exe	41
PID 1084 wrote to memory of 736	1084	iplog.exe	41
PID 736 wrote to memory of 1716	736	iplog.exe	42
PID 736 wrote to memory of 1716	736	iplog.exe	42
PID 736 wrote to memory of 1716	736	iplog.exe	42
PID 736 wrote to memory of 1716	736	iplog.exe	42
PID 1716 wrote to memory of 1728	1716	iplog.exe	43
PID 1716 wrote to memory of 1728	1716	iplog.exe	43
PID 1716 wrote to memory of 1728	1716	iplog.exe	43
PID 1716 wrote to memory of 1728	1716	iplog.exe	43
PID 1728 wrote to memory of 2808	1728	iplog.exe	44
PID 1728 wrote to memory of 2808	1728	iplog.exe	44
PID 1728 wrote to memory of 2808	1728	iplog.exe	44
PID 1728 wrote to memory of 2808	1728	iplog.exe	44

C:\Users\Admin\AppData\Local\Temp\c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0b6ad65dd559b72bc3e8ac9a0931a49_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\iplog.exe
  C:\Windows\system32\iplog.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\iplog.exe
    C:\Windows\system32\iplog.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\iplog.exe
      C:\Windows\system32\iplog.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2808
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2020
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1740
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1800
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2356
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2304
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2896
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2980
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1496
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:572
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        66⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        68⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        69⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        70⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        71⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        73⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        74⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2268
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        76⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        77⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        78⤵
        Drops file in Windows directory
        
        PID:1000
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        79⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        80⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        81⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        82⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        83⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2968
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        84⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        86⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        87⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\logkey.ini

Filesize
50B

MD5
798e9d09e53254c0e70dd121cf63419b

SHA1
3b240d9315d03a03d447d7e48038b1d4a17e8167

SHA256
51355a51199fd9af5654338e100c392da2fa7d30e42ed3314be20edaa4969ec3

SHA512
e67804418a45570045cc52507333b6af1904e3b7f415cb1b58fb1af3887d6bc3d199db4aeac8c598d78370edc9a9870e2638475ac702281045923b86871ac5df

Download Submit
C:\Windows\sk.exe

Filesize
238KB

MD5
a954bd3c2be496fc9d476a944f9942e6

SHA1
e7b9dd17a1d963d7675af5545b7794ef61fd9721

SHA256
68c9c674a56e6dbff3847b2f687f9bc72a96d599b039d2b486b9e9102827d926

SHA512
dc6cbd2df26bb3c3f605af26213bc97439cff9fbb011cbe3ac300d07d867e33ee36304c307e1a5b178b899062846230acc7642d0d0f4d7c20db893b277a1f99f

Download Submit
\Windows\SysWOW64\iplog.exe

Filesize
238KB

MD5
c0b6ad65dd559b72bc3e8ac9a0931a49

SHA1
0fdac98ec965cee92e3fe11e6b9eb7a40a98dab6

SHA256
53b344f6557bcf013ec2f7bc87c490c4d565ef0c1bebdddf66be9536e38493d1

SHA512
5d7288b4619b10fd25590f69c32ee0bf56b6011f4e2e4c73c18e651bca85b60d318a4bf2ef4e528b555c8e56e81330f93cea262e76d14640e29026e176b2e6c3

Download Submit
memory/572-414-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/588-116-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/588-359-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/588-354-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/736-158-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/736-153-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/880-381-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/904-240-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/936-406-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1028-321-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1028-320-0x0000000002030000-0x00000000020D3000-memory.dmp

Filesize
652KB

Download
memory/1084-147-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1084-152-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1192-245-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1428-94-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1428-105-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1464-212-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1464-217-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1488-353-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1496-118-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1496-127-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1496-371-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1496-366-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1536-376-0x0000000001FB0000-0x0000000002053000-memory.dmp

Filesize
652KB

Download
memory/1552-194-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1552-189-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1560-271-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1620-386-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1716-182-0x0000000002C70000-0x0000000002D13000-memory.dmp

Filesize
652KB

Download
memory/1716-163-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1728-168-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1732-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1732-229-0x0000000001F80000-0x0000000002023000-memory.dmp

Filesize
652KB

Download
memory/1732-230-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1740-205-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1740-210-0x0000000001F60000-0x0000000002003000-memory.dmp

Filesize
652KB

Download
memory/1740-211-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1752-222-0x0000000002C40000-0x0000000002CE3000-memory.dmp

Filesize
652KB

Download
memory/1752-223-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1764-365-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1764-360-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1800-235-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1928-422-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1952-349-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1976-394-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2020-204-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2096-256-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2096-261-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2144-195-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2144-200-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2156-418-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2156-181-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2156-176-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2168-250-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2172-410-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2200-276-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2240-30-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2240-27-0x0000000001F30000-0x0000000001FD3000-memory.dmp

Filesize
652KB

Download
memory/2240-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2256-13-0x0000000001FE0000-0x0000000002083000-memory.dmp

Filesize
652KB

Download
memory/2256-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2256-12-0x0000000001FE0000-0x0000000002083000-memory.dmp

Filesize
652KB

Download
memory/2256-15-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2256-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2264-344-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2264-339-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2304-293-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2304-288-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2308-402-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2324-398-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2332-188-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2332-187-0x0000000001FB0000-0x0000000002053000-memory.dmp

Filesize
652KB

Download
memory/2356-281-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2564-282-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2564-287-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2632-327-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2632-322-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2684-332-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2696-92-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2696-82-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2716-338-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2716-333-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2736-57-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2736-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2736-45-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2776-44-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2776-32-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2776-33-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-304-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2784-299-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2792-68-0x0000000001FA0000-0x0000000002043000-memory.dmp

Filesize
652KB

Download
memory/2792-96-0x0000000001FA0000-0x0000000002043000-memory.dmp

Filesize
652KB

Download
memory/2792-69-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2792-58-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2796-80-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2808-169-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2808-174-0x0000000002C80000-0x0000000002D23000-memory.dmp

Filesize
652KB

Download
memory/2808-175-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2812-145-0x0000000001E50000-0x0000000001EF3000-memory.dmp

Filesize
652KB

Download
memory/2812-146-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2896-298-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2944-129-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2944-139-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2948-315-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2964-390-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2972-255-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2980-305-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2980-310-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3048-266-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download