df3a33258d5aa172e09d13a67320eeb023f7ae5046a6c67e33360094a753f3c0

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe
Size

3.5MB
MD5

d03ef962aca218992c37a1a00445926d
SHA1

7b824aea95e463c003dce871b0a39d794c3d7eee
SHA256

df3a33258d5aa172e09d13a67320eeb023f7ae5046a6c67e33360094a753f3c0
SHA512

aa35b0e6c980bbf77cd509f785bb7d224e859cac01520f27265cdd22a6b6c004a8a5c05b8a05d2cacafa42688ee63fec1e2b646d5b9de722b4ba4df72b12a16c
SSDEEP

98304:zdHGytDzF7VB+yVGfSEu1pGhnWq6gd5hYWBZiqDVM:zdHxtDhVVG6EuzGWq6shxv7M

Score

9^/10

defense_evasion discovery evasion persistence upx

Malware Config

Signatures

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3948-341-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/4896-348-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0"	pev.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	InfDefaultInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0"	PEV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0"	PEV.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.cfxxe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HANDLE.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGEDIT.EXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GREP.CFXXE	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extract.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catchme.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extract.cfxxe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REG.EXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zip.cfxxe	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNDLL32.EXE	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regt.cfxxe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.cfxxe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\listdlls.cfxxe	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIND.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.CFXXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.cfxxe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ATTRIB.EXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Combo-Fix.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.cfxxe	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SED.CFXXE	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setpath.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTRACT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FDSV.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdsv.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MTEE.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\LISTDLLS.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CTFMON.EXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MOVEEX.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WSCRIPT.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WSCRIPT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RESTARTIT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\LISTDLLS.CFXXE	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regt.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restartit.cfxxe	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MTEE.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MOVEEX.CFXXE	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catchme.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.cfxxe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.cfxxe	PEV.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	n.pif

Executes dropped EXE 50 IoCs

pid	Process
3948	iexplore.exe
4896	iexplore.exe
2000	iexplore.exe
1800	hidec.exe
4304	iexplore.exe
3656	pev.exe
3852	n.pif
4800	n.pif
4888	PEV.exe
2092	hidec.exe
2932	PEV.exe
2812	hidec.exe
1148	hidec.exe
2836	hidec.exe
2560	hidec.exe
2860	swreg.exe
4484	swreg.exe
1456	swreg.exe
3252	SWXCACLS.cfxxe
884	n.pif
872	SWREG.exe
4348	hidec.exe
2820	n.pif
4488	SWREG.exe
5024	SWREG.exe
5052	hidec.exe
60	SWREG.exe
4316	n.pif
2660	n.pif
2180	nircmd.cfxxe
3548	swreg.exe
2192	n.pif
1688	GSAR.cfxxe
4740	nircmd.cfxxe
4876	GSAR.cfxxe
4284	n.pif
1144	nircmd.cfxxe
3744	cmd.cfxxe
3792	pev.exe
2848	grep.cfxxe
3876	grep.cfxxe
3052	grep.cfxxe
4744	swreg.exe
2272	grep.cfxxe
1048	grep.cfxxe
1068	grep.cfxxe
4484	NirCmd.cfxxe
4712	n.pif
2416	cmd.cfxxe
4908	cmd.cfxxe

Impair Defenses: Safe Mode Boot 1 TTPs 12 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service"	PEV.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver"	PEV.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service"	PEV.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart	PEV.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys	pev.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver"	pev.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart	pev.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service"	pev.exe

Modifies system executable filetype association 2 TTPs 32 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4556-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-273.dat	upx
behavioral2/memory/3948-327-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3948-341-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4896-348-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4556-368-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/files/0x00090000000006cf-383.dat	upx
behavioral2/memory/4484-388-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4484-398-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1456-405-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2860-403-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/872-407-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/5024-414-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4488-415-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/60-420-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3548-431-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4744-464-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4556-477-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	InfDefaultInstall.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	pev.exe

Indicator Removal: Clear Persistence 1 TTPs 64 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIND.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SED.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REG.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTRACT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SF.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REG.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XCOPY.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSEXEC.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SF.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERUNT.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSEXEC.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\DUMPHIVE.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERUNT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIND.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWSC.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNDLL32.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ATTRIB.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERUNT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\LISTDLLS.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBO-FIX.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FINDSTR.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.COM	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERDNT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WSCRIPT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZIP.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MOVEEX.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MTEE.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SF.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SED.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWSC.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FDSV.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGEDIT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGT.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GREP.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FDSV.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHCP.COM	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SED.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWSC.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGT.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGEDIT.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWXCACLS.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWXCACLS.CFXXE	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZIP.CFXXE	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE	PEV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWREG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSAR.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nircmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nircmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSAR.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWREG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWREG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nircmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWXCACLS.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWREG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grep.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfDefaultInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NirCmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.cfxxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hidec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	PEV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	PEV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	PEV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	PEV.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	n.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	4484	swreg.exe
Token: SeRestorePrivilege	4484	swreg.exe
Token: SeSecurityPrivilege	4484	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe
Token: SeRestorePrivilege	2860	swreg.exe
Token: SeSecurityPrivilege	2860	swreg.exe
Token: SeTakeOwnershipPrivilege	2860	swreg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3948	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	88
PID 4556 wrote to memory of 3948	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	88
PID 4556 wrote to memory of 3948	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	88
PID 4556 wrote to memory of 4896	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4896	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	89
PID 4556 wrote to memory of 4896	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	89
PID 4556 wrote to memory of 2000	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	90
PID 4556 wrote to memory of 2000	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	90
PID 4556 wrote to memory of 2000	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	90
PID 4556 wrote to memory of 1800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	91
PID 4556 wrote to memory of 1800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	91
PID 4556 wrote to memory of 1800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	91
PID 2000 wrote to memory of 4304	2000	iexplore.exe	92
PID 2000 wrote to memory of 4304	2000	iexplore.exe	92
PID 2000 wrote to memory of 4304	2000	iexplore.exe	92
PID 1800 wrote to memory of 3656	1800	hidec.exe	93
PID 1800 wrote to memory of 3656	1800	hidec.exe	93
PID 1800 wrote to memory of 3656	1800	hidec.exe	93
PID 4556 wrote to memory of 3852	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	96
PID 4556 wrote to memory of 3852	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	96
PID 4556 wrote to memory of 3852	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	96
PID 3852 wrote to memory of 4288	3852	n.pif	97
PID 3852 wrote to memory of 4288	3852	n.pif	97
PID 3852 wrote to memory of 4288	3852	n.pif	97
PID 4288 wrote to memory of 4924	4288	InfDefaultInstall.exe	98
PID 4288 wrote to memory of 4924	4288	InfDefaultInstall.exe	98
PID 4288 wrote to memory of 4924	4288	InfDefaultInstall.exe	98
PID 4924 wrote to memory of 5012	4924	runonce.exe	99
PID 4924 wrote to memory of 5012	4924	runonce.exe	99
PID 4924 wrote to memory of 5012	4924	runonce.exe	99
PID 4556 wrote to memory of 4800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	101
PID 4556 wrote to memory of 4800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	101
PID 4556 wrote to memory of 4800	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	101
PID 4800 wrote to memory of 4888	4800	n.pif	102
PID 4800 wrote to memory of 4888	4800	n.pif	102
PID 4800 wrote to memory of 4888	4800	n.pif	102
PID 4556 wrote to memory of 2092	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	104
PID 4556 wrote to memory of 2092	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	104
PID 4556 wrote to memory of 2092	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	104
PID 4556 wrote to memory of 2812	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	105
PID 4556 wrote to memory of 2812	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	105
PID 4556 wrote to memory of 2812	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	105
PID 2092 wrote to memory of 2932	2092	hidec.exe	106
PID 2092 wrote to memory of 2932	2092	hidec.exe	106
PID 2092 wrote to memory of 2932	2092	hidec.exe	106
PID 4556 wrote to memory of 1148	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	108
PID 4556 wrote to memory of 1148	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	108
PID 4556 wrote to memory of 1148	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	108
PID 4556 wrote to memory of 2836	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	109
PID 4556 wrote to memory of 2836	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	109
PID 4556 wrote to memory of 2836	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	109
PID 4556 wrote to memory of 2560	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	110
PID 4556 wrote to memory of 2560	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	110
PID 4556 wrote to memory of 2560	4556	d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe	110
PID 2812 wrote to memory of 1456	2812	hidec.exe	111
PID 2812 wrote to memory of 1456	2812	hidec.exe	111
PID 2812 wrote to memory of 1456	2812	hidec.exe	111
PID 1148 wrote to memory of 2860	1148	hidec.exe	112
PID 1148 wrote to memory of 2860	1148	hidec.exe	112
PID 1148 wrote to memory of 2860	1148	hidec.exe	112
PID 2836 wrote to memory of 4484	2836	hidec.exe	113
PID 2836 wrote to memory of 4484	2836	hidec.exe	113
PID 2836 wrote to memory of 4484	2836	hidec.exe	113
PID 2560 wrote to memory of 3252	2560	hidec.exe	114

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe

C:\Users\Admin\AppData\Local\Temp\d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d03ef962aca218992c37a1a00445926d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556
- C:\32788R22FWJFW\iexplore.exe
  "C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948
- C:\32788R22FWJFW\iexplore.exe
  "C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896
- C:\32788R22FWJFW\iexplore.exe
  "C:\32788R22FWJFW\iexplore.exe" exec hide 32788R22FWJFW\License\iexplore.exe -k and { *sysguard.exe or ???*tssd.exe or a-fast.exe or -preg"\\[\da-f]*\d[\da-f]*\\*.exe" }
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\32788R22FWJFW\License\iexplore.exe
    32788R22FWJFW\License\iexplore.exe -k and { *sysguard.exe or ???*tssd.exe or a-fast.exe or -preg"\\[\da-f]*\d[\da-f]*\\*.exe" }
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4304
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or a-fast.exe or digprot.exe or *Police*Pro.exe or svch[!o]st.exe or sv[!c]host.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or ave.exe or -preg"\d{3,}.exe" }
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\32788R22FWJFW\pev.exe
    32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or a-fast.exe or digprot.exe or *Police*Pro.exe or svch[!o]st.exe or sv[!c]host.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or ave.exe or -preg"\d{3,}.exe" }
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    "C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"
    3⤵
    - Disables RegEdit via registry modification
    - Modifies system executable filetype association
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\32788R22FWJFW\PEV.exe
    32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
    3⤵
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Indicator Removal: Clear Persistence
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - System policy modification
    PID:4888
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\32788R22FWJFW\PEV.exe
    32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
    3⤵
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Indicator Removal: Clear Persistence
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - System policy modification
    PID:2932
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\32788R22FWJFW\swreg.exe
    32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1456
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\32788R22FWJFW\swreg.exe
    32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\32788R22FWJFW\swreg.exe
    32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\32788R22FWJFW\SWXCACLS.cfxxe
    32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3252
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:884
- - C:\32788R22FWJFW\SWREG.exe
    32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:872
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\32788R22FWJFW\SWREG.exe
    32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4488
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- - C:\32788R22FWJFW\SWREG.exe
    32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5024
- C:\32788R22FWJFW\hidec.exe
  "C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5052
- - C:\32788R22FWJFW\SWREG.exe
    32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:60
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4316
- - C:\32788R22FWJFW\swreg.exe
    32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3548
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\32788R22FWJFW\nircmd.cfxxe
  "C:\32788R22FWJFW\nircmd.cfxxe" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192
- - C:\32788R22FWJFW\GSAR.cfxxe
    32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\32788R22FWJFW\nircmd.cfxxe
  "C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\32788R22FWJFW\GSAR.cfxxe
    32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4876
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284
- - C:\32788R22FWJFW\cmd.cfxxe
    "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3744
  - - C:\32788R22FWJFW\pev.exe
      32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
      4⤵
      Disables RegEdit via registry modification
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      Modifies system executable filetype association
      Adds Run key to start application
      Indicator Removal: Clear Persistence
      Modifies data under HKEY_USERS
      Modifies registry class
      System policy modification
      PID:3792
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -F "5.1.2" OsVer
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -F "6.0.6" OsVer
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3876
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -F "6.1.7600" OsVer
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\32788R22FWJFW\swreg.exe
      SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
      4⤵
      Executes dropped EXE
      PID:4744
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -is "currentversion.* 6.[01]" OsVer00
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -F "5.00.2" OsVer
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1048
  - - C:\32788R22FWJFW\grep.cfxxe
      GREP.cfxxe -F "5.2." OsVer
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1068
  - - C:\Windows\SysWOW64\chcp.com
      CHCP 1252
      4⤵
      System Location Discovery: System Language Discovery
      PID:3436
  - - C:\32788R22FWJFW\NirCmd.cfxxe
      Nircmd.cfxxe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4484
- C:\32788R22FWJFW\nircmd.cfxxe
  "C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144
- - C:\32788R22FWJFW\cmd.cfxxe
    "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2416
- C:\32788R22FWJFW\n.pif
  "C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712
- - C:\32788R22FWJFW\cmd.cfxxe
    "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\32788R22FWJFW\License\iexplore.exe

Filesize
250KB

MD5
f1fba6185a6a2bc6456970914875078e

SHA1
a3a0da9b072ad4ceab9aec41af71a730d9b44744

SHA256
deaaab3b825ebadb6395e0be7671f96fd30ca8f76159b53c2d11da5c2ca7b7d0

SHA512
45cd68a2465d5aa24a693f5bdec9999fee1117e4329d4ae2e1d51a923d42d717e1d09eff9f9e11f3282ebc32422640028d64bf108f9d3d9c49bcd1df6b14212a

Download Submit
C:\32788R22FWJFW\OsVer

Filesize
104B

MD5
81107438325dd733bb955160756d8c08

SHA1
fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca

SHA256
29f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6

SHA512
d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed

Download Submit
C:\32788R22FWJFW\OsVer00

Filesize
180B

MD5
565b4fcda29a1d96b7d24cf989068f72

SHA1
3b2a83f8f1c436145defd842ad9c6c4c3509e8ed

SHA256
c13525d71c5c05c054078a8634d639d899878ba1943491f18a31bc63c19b6772

SHA512
27e10a4eee95ab0597cc570f4cbb7ff0a7cb957968c017d0204d0dbd4a75d8875eb42152610123366c4d3ab58d8f03f8766578759a62d7bed90c91c586a7dc05

Download Submit
C:\32788R22FWJFW\P.cmd

Filesize
17KB

MD5
ba91ee612259a827c0b51cad5238f42a

SHA1
499ac9f33a48f0cab301f48e0d4d015e919d21ab

SHA256
bfde2eff0f119ee5d3e36c23d02d3592bf3e33298c5549451a293389ab63b9fe

SHA512
ea8879b044951b8870eca1d083e4f23779433203b91d9ba01630950175927238d4ca0d1478af71043d7ed5ee019c4553c1cb79ff2c683a2a5640835a8579c9ff

Download Submit
C:\32788R22FWJFW\Prep.inf

Filesize
2KB

MD5
1aa16d0f74468cf739427c823e44f693

SHA1
ea83e02989f1427fb0f2f1f5eb23e1e125cd5c78

SHA256
8419a839e8e106403e2dc8ae73ef9a627bb894b91a5b39e2ad88e62c9d66dc56

SHA512
0a403c320ce88bd7b0dcbfcf71e552d08e070fafefeada050c330f01e50cc542726812026d18b14216be49ca608197630b65f23fc32b89268b8bb86de7c35782

Download Submit
C:\32788R22FWJFW\Rkey.cmd

Filesize
442B

MD5
727ca2b11d0c32a56102d1de0bc537c5

SHA1
57674ed47e2cd1049236afca38e80bb46f160dc5

SHA256
9e503cecb9470ee104c147972ac79ab481e51fc567d93d4d9cf8d3358b1e7514

SHA512
df9574a5d754e4958c900176844bce1744b3829250880790e2d0abcb313c130aefee0f710a5d1e841cdb64f411cd61c7768f7f172d5db27ed47961f78b54e217

Download Submit
C:\32788R22FWJFW\grep.cfxxe

Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\gsar.cfxxe

Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\hidec.exe

Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\n.pif

Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\swreg.exe

Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swxcacls.cfxxe

Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
C:\\32788R22FWJFW\EXE.reg

Filesize
13KB

MD5
3c76471e2e02fb0a60fce98120ac607d

SHA1
4c3f336111cb4223e6e011033af85edf7fc13fb2

SHA256
3421abc6b631a78fe18152dc7391154224097e62944cc93b801d76a2e7f308f2

SHA512
59c20586e655cd0180c017b1000b38879b477040c923642730cabc3941b8da70d5e82274e46ca626f4c859deb15d03183bda9173a006e105805668eba1979ef0

Download Submit
C:\\32788R22FWJFW\cmd.cfxxe

Filesize
231KB

MD5
29824dce144b6134797729005107ee1f

SHA1
d0bb9999154b87c32658b55c5c3bc2c5cbe156b6

SHA256
bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5

SHA512
f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

Download Submit
memory/60-420-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/872-407-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1048-470-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1068-472-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1456-405-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1800-347-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2272-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-378-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2848-458-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2860-403-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2932-396-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/3052-462-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3252-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-431-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3656-354-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/3656-365-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/3792-452-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/3876-460-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3948-341-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4304-353-0x0000000000D40000-0x0000000000E11000-memory.dmp

Filesize
836KB

Download
memory/4304-362-0x0000000000D40000-0x0000000000E11000-memory.dmp

Filesize
836KB

Download
memory/4484-398-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4484-388-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4488-415-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4556-368-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4556-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4556-477-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4744-464-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4888-374-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/4896-348-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5024-414-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads