4bfb848ca54ce50688857ee50399b9af8b755d916ce502ff3e0107816ada44cf

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe
Size

831KB
MD5

c9683c5b615f00d260307e04239ade84
SHA1

8863cc68bc0d0d813a0c6689ddee3fbe2d8f9888
SHA256

4bfb848ca54ce50688857ee50399b9af8b755d916ce502ff3e0107816ada44cf
SHA512

e7a97fc441d8d3f3c62575f6ad0c2c37c10e7968c327c30a6329059269611dd311af28e0687ef6b6d6e37ef248025b3095d6fac4d76efd2307855882ba5a2db5
SSDEEP

12288:hef9MTeKoFU8Pv7aJPfhfnuBYscce+UGy8imJMou2Imc:sfYLoFDuppfnuBY1+UGJ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	systemntfy.exe

Executes dropped EXE 64 IoCs

pid	Process
220	systemntfy.exe
2212	systemntfy.exe
408	systemntfy.exe
3464	systemntfy.exe
4696	systemntfy.exe
4368	systemntfy.exe
2748	systemntfy.exe
3372	systemntfy.exe
3456	systemntfy.exe
4896	systemntfy.exe
2040	systemntfy.exe
4264	systemntfy.exe
3676	systemntfy.exe
1008	systemntfy.exe
3772	systemntfy.exe
2592	systemntfy.exe
4372	systemntfy.exe
1932	systemntfy.exe
3824	systemntfy.exe
5100	systemntfy.exe
3896	systemntfy.exe
2412	systemntfy.exe
4316	systemntfy.exe
3444	systemntfy.exe
3084	systemntfy.exe
372	systemntfy.exe
948	systemntfy.exe
4368	systemntfy.exe
716	systemntfy.exe
2616	systemntfy.exe
2460	systemntfy.exe
4572	systemntfy.exe
8	systemntfy.exe
4180	systemntfy.exe
1512	systemntfy.exe
3020	systemntfy.exe
4352	systemntfy.exe
4988	systemntfy.exe
4372	systemntfy.exe
1452	systemntfy.exe
3752	systemntfy.exe
4660	systemntfy.exe
4168	systemntfy.exe
2476	systemntfy.exe
3056	systemntfy.exe
444	systemntfy.exe
508	systemntfy.exe
2848	systemntfy.exe
2212	systemntfy.exe
864	systemntfy.exe
3652	systemntfy.exe
4724	systemntfy.exe
3616	systemntfy.exe
2260	systemntfy.exe
3064	systemntfy.exe
2616	systemntfy.exe
2460	systemntfy.exe
1976	systemntfy.exe
1960	systemntfy.exe
3772	systemntfy.exe
2056	systemntfy.exe
3516	systemntfy.exe
4932	systemntfy.exe
1224	systemntfy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4136-0-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-6.dat	upx
behavioral2/memory/4136-63-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/220-65-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2212-67-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/408-69-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3464-71-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4696-73-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4368-75-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2748-77-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3372-79-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3456-81-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4896-83-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2040-85-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4264-87-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3676-89-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/1008-91-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3772-93-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2592-95-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4372-97-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/1932-99-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3824-101-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/5100-103-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3896-105-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2412-107-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4316-110-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3444-112-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3084-114-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/372-116-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/948-118-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4368-120-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/716-122-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2616-124-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2460-126-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/8-128-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4572-129-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/8-130-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4180-131-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/1512-132-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3020-133-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4352-134-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4988-135-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4372-136-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/1452-137-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3752-138-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4168-139-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4660-140-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2476-141-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4168-142-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2476-143-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3056-144-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/444-145-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/508-146-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2848-147-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2212-148-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/864-149-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3652-150-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4724-151-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3616-152-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2260-153-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3064-154-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2616-155-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/2460-156-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/1976-157-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systemntfy = "C:\\Windows\\system32\\systemntfy.exe"	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\systemntfy.exe	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\systemntfy.exe	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemntfy.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemntfy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 220	4136	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe	87
PID 4136 wrote to memory of 220	4136	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe	87
PID 4136 wrote to memory of 220	4136	c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe	87
PID 220 wrote to memory of 2212	220	systemntfy.exe	90
PID 220 wrote to memory of 2212	220	systemntfy.exe	90
PID 220 wrote to memory of 2212	220	systemntfy.exe	90
PID 2212 wrote to memory of 408	2212	systemntfy.exe	91
PID 2212 wrote to memory of 408	2212	systemntfy.exe	91
PID 2212 wrote to memory of 408	2212	systemntfy.exe	91
PID 408 wrote to memory of 3464	408	systemntfy.exe	92
PID 408 wrote to memory of 3464	408	systemntfy.exe	92
PID 408 wrote to memory of 3464	408	systemntfy.exe	92
PID 3464 wrote to memory of 4696	3464	systemntfy.exe	93
PID 3464 wrote to memory of 4696	3464	systemntfy.exe	93
PID 3464 wrote to memory of 4696	3464	systemntfy.exe	93
PID 4696 wrote to memory of 4368	4696	systemntfy.exe	94
PID 4696 wrote to memory of 4368	4696	systemntfy.exe	94
PID 4696 wrote to memory of 4368	4696	systemntfy.exe	94
PID 4368 wrote to memory of 2748	4368	systemntfy.exe	95
PID 4368 wrote to memory of 2748	4368	systemntfy.exe	95
PID 4368 wrote to memory of 2748	4368	systemntfy.exe	95
PID 2748 wrote to memory of 3372	2748	systemntfy.exe	96
PID 2748 wrote to memory of 3372	2748	systemntfy.exe	96
PID 2748 wrote to memory of 3372	2748	systemntfy.exe	96
PID 3372 wrote to memory of 3456	3372	systemntfy.exe	99
PID 3372 wrote to memory of 3456	3372	systemntfy.exe	99
PID 3372 wrote to memory of 3456	3372	systemntfy.exe	99
PID 3456 wrote to memory of 4896	3456	systemntfy.exe	100
PID 3456 wrote to memory of 4896	3456	systemntfy.exe	100
PID 3456 wrote to memory of 4896	3456	systemntfy.exe	100
PID 4896 wrote to memory of 2040	4896	systemntfy.exe	101
PID 4896 wrote to memory of 2040	4896	systemntfy.exe	101
PID 4896 wrote to memory of 2040	4896	systemntfy.exe	101
PID 2040 wrote to memory of 4264	2040	systemntfy.exe	104
PID 2040 wrote to memory of 4264	2040	systemntfy.exe	104
PID 2040 wrote to memory of 4264	2040	systemntfy.exe	104
PID 4264 wrote to memory of 3676	4264	systemntfy.exe	105
PID 4264 wrote to memory of 3676	4264	systemntfy.exe	105
PID 4264 wrote to memory of 3676	4264	systemntfy.exe	105
PID 3676 wrote to memory of 1008	3676	systemntfy.exe	106
PID 3676 wrote to memory of 1008	3676	systemntfy.exe	106
PID 3676 wrote to memory of 1008	3676	systemntfy.exe	106
PID 1008 wrote to memory of 3772	1008	systemntfy.exe	107
PID 1008 wrote to memory of 3772	1008	systemntfy.exe	107
PID 1008 wrote to memory of 3772	1008	systemntfy.exe	107
PID 3772 wrote to memory of 2592	3772	systemntfy.exe	108
PID 3772 wrote to memory of 2592	3772	systemntfy.exe	108
PID 3772 wrote to memory of 2592	3772	systemntfy.exe	108
PID 2592 wrote to memory of 4372	2592	systemntfy.exe	109
PID 2592 wrote to memory of 4372	2592	systemntfy.exe	109
PID 2592 wrote to memory of 4372	2592	systemntfy.exe	109
PID 4372 wrote to memory of 1932	4372	systemntfy.exe	111
PID 4372 wrote to memory of 1932	4372	systemntfy.exe	111
PID 4372 wrote to memory of 1932	4372	systemntfy.exe	111
PID 1932 wrote to memory of 3824	1932	systemntfy.exe	112
PID 1932 wrote to memory of 3824	1932	systemntfy.exe	112
PID 1932 wrote to memory of 3824	1932	systemntfy.exe	112
PID 3824 wrote to memory of 5100	3824	systemntfy.exe	113
PID 3824 wrote to memory of 5100	3824	systemntfy.exe	113
PID 3824 wrote to memory of 5100	3824	systemntfy.exe	113
PID 5100 wrote to memory of 3896	5100	systemntfy.exe	114
PID 5100 wrote to memory of 3896	5100	systemntfy.exe	114
PID 5100 wrote to memory of 3896	5100	systemntfy.exe	114
PID 3896 wrote to memory of 2412	3896	systemntfy.exe	116

C:\Users\Admin\AppData\Local\Temp\c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9683c5b615f00d260307e04239ade84_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\systemntfy.exe
  "C:\Windows\system32\systemntfy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\systemntfy.exe
    "C:\Windows\system32\systemntfy.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\systemntfy.exe
      "C:\Windows\system32\systemntfy.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
      - C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        25⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        27⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        28⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        32⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        34⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        35⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        36⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        37⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        38⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        40⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        41⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        50⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        52⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        53⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        54⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        55⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        56⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        64⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        65⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        66⤵
        Checks computer location settings
        
        PID:3936
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        67⤵
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        68⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        69⤵
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        70⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        71⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        73⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        74⤵
        Checks computer location settings
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        75⤵
        Checks computer location settings
        
        PID:1728
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        77⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        79⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        80⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        81⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        85⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        87⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        88⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        89⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        93⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        94⤵
        Checks computer location settings
        
        PID:3660
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        95⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        96⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        97⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        98⤵
        Checks computer location settings
        
        PID:2424
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        99⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        100⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        101⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        102⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        104⤵
        
        PID:716
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        105⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        106⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        107⤵
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        110⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        111⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        112⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        113⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        115⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        116⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        117⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        118⤵
        Checks computer location settings
        
        PID:1576
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        119⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        120⤵
        Checks computer location settings
        
        PID:2412
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        121⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        122⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        123⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        124⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        125⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        126⤵
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        127⤵
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        129⤵
        Checks computer location settings
        
        PID:1328
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        130⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        131⤵
        Checks computer location settings
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        132⤵
        Checks computer location settings
        
        PID:4304
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        133⤵
        Checks computer location settings
        
        PID:716
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        135⤵
        Checks computer location settings
        
        PID:1296
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        137⤵
        
        PID:432
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        138⤵
        Checks computer location settings
        
        PID:3996
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        140⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        141⤵
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        142⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        143⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        144⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        145⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        147⤵
        
        PID:436
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        148⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        150⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        151⤵
        
        PID:728
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        152⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        155⤵
        Checks computer location settings
        
        PID:2208
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        156⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        157⤵
        
        PID:624
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        158⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        159⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        160⤵
        
        PID:536
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        161⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        163⤵
        Checks computer location settings
        
        PID:4132
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        164⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        165⤵
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        167⤵
        
        PID:316
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        169⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        170⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        171⤵
        Checks computer location settings
        
        PID:772
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        172⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        173⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        174⤵
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        176⤵
        
        PID:552
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        177⤵
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        178⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        179⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        181⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        183⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        184⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        187⤵
        Checks computer location settings
        
        PID:3532
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        188⤵
        Checks computer location settings
        
        PID:2632
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        189⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        191⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        193⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        195⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        196⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        198⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        199⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        200⤵
        Checks computer location settings
        
        PID:2028
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        203⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        204⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        205⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        206⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        207⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        208⤵
        
        PID:408
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        209⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        210⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        211⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        212⤵
        
        PID:636
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        213⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        214⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        215⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        216⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        217⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        218⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        219⤵
        
        PID:860
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        220⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        221⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        222⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        223⤵
        
        PID:316
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        224⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        225⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        226⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        227⤵
        
        PID:404
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        228⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        229⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\systemntfy.exe
        
        "C:\Windows\system32\systemntfy.exe"
        230⤵
        
        PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\systemntfy.exe

Filesize
831KB

MD5
c9683c5b615f00d260307e04239ade84

SHA1
8863cc68bc0d0d813a0c6689ddee3fbe2d8f9888

SHA256
4bfb848ca54ce50688857ee50399b9af8b755d916ce502ff3e0107816ada44cf

SHA512
e7a97fc441d8d3f3c62575f6ad0c2c37c10e7968c327c30a6329059269611dd311af28e0687ef6b6d6e37ef248025b3095d6fac4d76efd2307855882ba5a2db5

Download Submit
memory/8-128-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/8-130-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/220-62-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/220-65-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/372-116-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/408-69-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/444-145-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/508-146-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/536-175-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/620-167-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/624-173-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/624-171-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/652-183-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/712-172-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/716-122-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/728-165-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/864-149-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/948-118-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/972-176-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1008-91-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1224-163-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1432-177-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1452-137-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1512-132-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1728-174-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1852-188-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1932-99-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1960-158-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1976-157-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2040-85-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2056-160-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2212-67-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2212-148-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2260-153-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2412-107-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2448-180-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2460-156-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2460-126-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2476-143-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2476-141-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2592-95-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2592-185-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2616-124-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2616-155-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2748-77-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2848-147-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3020-133-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3056-144-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3064-154-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3084-114-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3328-182-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3372-79-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3444-170-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3444-112-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3456-81-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3464-71-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3516-161-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3544-181-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3616-152-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3652-150-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3676-89-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3752-138-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3772-93-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3772-159-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3824-101-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3884-179-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3896-105-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3936-164-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4136-1-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4136-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4136-63-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4168-142-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4168-139-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4180-131-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4248-166-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4264-87-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4316-110-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4352-134-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4368-75-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4368-120-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4372-97-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4372-136-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4444-184-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4464-178-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4560-186-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4572-129-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4660-140-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4696-73-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4724-151-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4896-83-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4932-162-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4960-187-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4968-168-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4988-135-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5100-103-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5104-169-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads