432ef4a50213cba3dd785700715e615c902a06b740b906fb3ac5a8aaaa7d2d23

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Size

15KB
MD5

e275fcb2a73abf7c093ec464bcdb176f
SHA1

1cf65797345e5250de7669528d6fef8dbc9479a0
SHA256

432ef4a50213cba3dd785700715e615c902a06b740b906fb3ac5a8aaaa7d2d23
SHA512

9edb8c6abbb0dcf5888d1994befbd80465639139af42ae5be8d2690cc85d227c295b5d61ecd799e913e716d3634c963bee8a6763cd21dc5e3d422f1d03ff42a1
SSDEEP

384:5D6LJAFhpDnnrdX4t/Zf45rNZm7yVAL1v:xlrdXgwZgyGL

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 22 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe shell"	msdto.exe

Blocklisted process makes network request 14 IoCs

flow	pid	Process
8	2220	rundll32.exe
10	2220	rundll32.exe
18	2940	rundll32.exe
19	2940	rundll32.exe
24	3016	rundll32.exe
25	3016	rundll32.exe
30	2344	rundll32.exe
31	2344	rundll32.exe
36	1948	rundll32.exe
37	1948	rundll32.exe
42	1768	rundll32.exe
43	1768	rundll32.exe
48	2932	rundll32.exe
49	2932	rundll32.exe

Executes dropped EXE 64 IoCs

pid	Process
2700	msdto.exe
2432	msdto.exe
2696	shell.exe
2768	msdto.exe
2896	shell.exe
1504	cstrike.exe
1908	shell.exe
1944	cstrike.exe
1868	msdto.exe
3040	cstrike.exe
1036	shell.exe
2748	cstrike.exe
2752	msdto.exe
352	msdto.exe
2512	shell.exe
288	shell.exe
1668	msdto.exe
1572	cstrike.exe
1636	cstrike.exe
1700	shell.exe
2772	cstrike.exe
2224	msdto.exe
1680	msdto.exe
836	shell.exe
1056	msdto.exe
1864	shell.exe
2088	cstrike.exe
2132	shell.exe
2468	cstrike.exe
2476	cstrike.exe
1440	msdto.exe
3004	msdto.exe
1564	shell.exe
1892	shell.exe
2220	msdto.exe
2800	cstrike.exe
1884	cstrike.exe
2028	shell.exe
3008	cstrike.exe
1712	msdto.exe
2444	msdto.exe
2056	shell.exe
2072	msdto.exe
1664	shell.exe
2096	cstrike.exe
2856	shell.exe
2496	cstrike.exe
2764	cstrike.exe
2008	msdto.exe
1008	msdto.exe
2516	shell.exe
1956	shell.exe
2956	msdto.exe
1336	cstrike.exe
2148	cstrike.exe
2136	shell.exe
2996	cstrike.exe
2348	msdto.exe
296	msdto.exe
1196	shell.exe
1448	msdto.exe
1700	shell.exe
1716	cstrike.exe
2616	shell.exe

Loads dropped DLL 64 IoCs

pid	Process
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
2700	msdto.exe
2700	msdto.exe
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
2696	shell.exe
2696	shell.exe
2700	msdto.exe
2700	msdto.exe
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
2220	rundll32.exe
2696	shell.exe
2696	shell.exe
2700	msdto.exe
2700	msdto.exe
1944	cstrike.exe
1944	cstrike.exe
2696	shell.exe
2696	shell.exe
1944	cstrike.exe
1944	cstrike.exe
1944	cstrike.exe
1944	cstrike.exe
1504	cstrike.exe
1504	cstrike.exe
2752	msdto.exe
2752	msdto.exe
1504	cstrike.exe
1504	cstrike.exe
2752	msdto.exe
2752	msdto.exe
2512	shell.exe
2512	shell.exe
1504	cstrike.exe
1504	cstrike.exe
2752	msdto.exe
2752	msdto.exe
2512	shell.exe
2512	shell.exe
2512	shell.exe
2512	shell.exe
1572	cstrike.exe
1572	cstrike.exe
2224	msdto.exe
2224	msdto.exe
1572	cstrike.exe
1572	cstrike.exe
836	shell.exe
836	shell.exe
2224	msdto.exe
2224	msdto.exe
1572	cstrike.exe
1572	cstrike.exe
836	shell.exe
836	shell.exe
2224	msdto.exe
2224	msdto.exe
836	shell.exe
836	shell.exe
2088	cstrike.exe
2088	cstrike.exe
1440	msdto.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msdto = "C:\\Windows\\system32\\msdto.exe"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cstrike = "C:\\Windows\\system32\\cstrike.exe"	msdto.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msdto.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdto.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cstrike.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cstrike.exe	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstrike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	cstrike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\SysWow64\\msdto.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	msdto.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command	cstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	msdto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\spcolsv.exe %1"	cstrike.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
Token: 33	2700	msdto.exe
Token: SeIncBasePriorityPrivilege	2700	msdto.exe
Token: 33	2432	msdto.exe
Token: SeIncBasePriorityPrivilege	2432	msdto.exe
Token: 33	2696	shell.exe
Token: SeIncBasePriorityPrivilege	2696	shell.exe
Token: 33	2768	msdto.exe
Token: SeIncBasePriorityPrivilege	2768	msdto.exe
Token: 33	2896	shell.exe
Token: SeIncBasePriorityPrivilege	2896	shell.exe
Token: 33	1908	shell.exe
Token: SeIncBasePriorityPrivilege	1908	shell.exe
Token: 33	1944	cstrike.exe
Token: SeIncBasePriorityPrivilege	1944	cstrike.exe
Token: 33	1868	msdto.exe
Token: SeIncBasePriorityPrivilege	1868	msdto.exe
Token: 33	3040	cstrike.exe
Token: SeIncBasePriorityPrivilege	3040	cstrike.exe
Token: 33	1036	shell.exe
Token: SeIncBasePriorityPrivilege	1036	shell.exe
Token: 33	2748	cstrike.exe
Token: SeIncBasePriorityPrivilege	2748	cstrike.exe
Token: 33	1504	cstrike.exe
Token: SeIncBasePriorityPrivilege	1504	cstrike.exe
Token: 33	2752	msdto.exe
Token: SeIncBasePriorityPrivilege	2752	msdto.exe
Token: 33	352	msdto.exe
Token: SeIncBasePriorityPrivilege	352	msdto.exe
Token: 33	2512	shell.exe
Token: SeIncBasePriorityPrivilege	2512	shell.exe
Token: 33	288	shell.exe
Token: SeIncBasePriorityPrivilege	288	shell.exe
Token: 33	1668	msdto.exe
Token: SeIncBasePriorityPrivilege	1668	msdto.exe
Token: 33	1636	cstrike.exe
Token: SeIncBasePriorityPrivilege	1636	cstrike.exe
Token: 33	1700	shell.exe
Token: SeIncBasePriorityPrivilege	1700	shell.exe
Token: 33	2772	cstrike.exe
Token: SeIncBasePriorityPrivilege	2772	cstrike.exe
Token: 33	1572	cstrike.exe
Token: SeIncBasePriorityPrivilege	1572	cstrike.exe
Token: 33	2224	msdto.exe
Token: SeIncBasePriorityPrivilege	2224	msdto.exe
Token: 33	1680	msdto.exe
Token: SeIncBasePriorityPrivilege	1680	msdto.exe
Token: 33	836	shell.exe
Token: SeIncBasePriorityPrivilege	836	shell.exe
Token: 33	1056	msdto.exe
Token: SeIncBasePriorityPrivilege	1056	msdto.exe
Token: 33	1864	shell.exe
Token: SeIncBasePriorityPrivilege	1864	shell.exe
Token: 33	2132	shell.exe
Token: SeIncBasePriorityPrivilege	2132	shell.exe
Token: 33	2468	cstrike.exe
Token: SeIncBasePriorityPrivilege	2468	cstrike.exe
Token: 33	2476	cstrike.exe
Token: SeIncBasePriorityPrivilege	2476	cstrike.exe
Token: 33	2088	cstrike.exe
Token: SeIncBasePriorityPrivilege	2088	cstrike.exe
Token: 33	1440	msdto.exe
Token: SeIncBasePriorityPrivilege	1440	msdto.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
2700	msdto.exe
2432	msdto.exe
2696	shell.exe
2768	msdto.exe
2896	shell.exe
1908	shell.exe
1944	cstrike.exe
1868	msdto.exe
3040	cstrike.exe
1036	shell.exe
2748	cstrike.exe
1504	cstrike.exe
2752	msdto.exe
352	msdto.exe
2512	shell.exe
288	shell.exe
1668	msdto.exe
1636	cstrike.exe
1700	shell.exe
2772	cstrike.exe
1572	cstrike.exe
2224	msdto.exe
1680	msdto.exe
836	shell.exe
1056	msdto.exe
1864	shell.exe
2132	shell.exe
2468	cstrike.exe
2476	cstrike.exe
2088	cstrike.exe
1440	msdto.exe
3004	msdto.exe
1564	shell.exe
1892	shell.exe
2220	msdto.exe
2028	shell.exe
1884	cstrike.exe
3008	cstrike.exe
2800	cstrike.exe
1712	msdto.exe
2444	msdto.exe
2056	shell.exe
2072	msdto.exe
1664	shell.exe
2856	shell.exe
2496	cstrike.exe
2764	cstrike.exe
2096	cstrike.exe
2008	msdto.exe
1008	msdto.exe
2516	shell.exe
1956	shell.exe
2956	msdto.exe
2136	shell.exe
2148	cstrike.exe
2996	cstrike.exe
1336	cstrike.exe
296	msdto.exe
1196	shell.exe
1448	msdto.exe
1700	shell.exe
2616	shell.exe
1944	cstrike.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2700	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	30
PID 1564 wrote to memory of 2700	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	30
PID 1564 wrote to memory of 2700	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	30
PID 1564 wrote to memory of 2700	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2432	2700	msdto.exe	31
PID 2700 wrote to memory of 2432	2700	msdto.exe	31
PID 2700 wrote to memory of 2432	2700	msdto.exe	31
PID 2700 wrote to memory of 2432	2700	msdto.exe	31
PID 1564 wrote to memory of 2696	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	32
PID 1564 wrote to memory of 2696	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	32
PID 1564 wrote to memory of 2696	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	32
PID 1564 wrote to memory of 2696	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2768	2696	shell.exe	33
PID 2696 wrote to memory of 2768	2696	shell.exe	33
PID 2696 wrote to memory of 2768	2696	shell.exe	33
PID 2696 wrote to memory of 2768	2696	shell.exe	33
PID 2700 wrote to memory of 2896	2700	msdto.exe	34
PID 2700 wrote to memory of 2896	2700	msdto.exe	34
PID 2700 wrote to memory of 2896	2700	msdto.exe	34
PID 2700 wrote to memory of 2896	2700	msdto.exe	34
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1564 wrote to memory of 1504	1564	e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe	36
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 1504 wrote to memory of 2220	1504	cstrike.exe	37
PID 2696 wrote to memory of 1908	2696	shell.exe	38
PID 2696 wrote to memory of 1908	2696	shell.exe	38
PID 2696 wrote to memory of 1908	2696	shell.exe	38
PID 2696 wrote to memory of 1908	2696	shell.exe	38
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 2700 wrote to memory of 1944	2700	msdto.exe	39
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1008	1944	cstrike.exe	40
PID 1944 wrote to memory of 1868	1944	cstrike.exe	41
PID 1944 wrote to memory of 1868	1944	cstrike.exe	41
PID 1944 wrote to memory of 1868	1944	cstrike.exe	41
PID 1944 wrote to memory of 1868	1944	cstrike.exe	41
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 2696 wrote to memory of 3040	2696	shell.exe	42
PID 3040 wrote to memory of 2324	3040	cstrike.exe	43

C:\Users\Admin\AppData\Local\Temp\e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e275fcb2a73abf7c093ec464bcdb176f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\msdto.exe
  C:\Windows\system32\msdto.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\msdto.exe
    C:\Windows\system32\msdto.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Windows\SysWOW64\shell.exe
    C:\Windows\system32\shell.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\cstrike.exe
    C:\Windows\system32\cstrike.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1944
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Windows\SysWOW64\msdto.exe
      C:\Windows\system32\msdto.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1868
  - - C:\Windows\SysWOW64\shell.exe
      C:\Windows\system32\shell.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1036
  - - C:\Windows\SysWOW64\cstrike.exe
      C:\Windows\system32\cstrike.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2748
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2748
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
- C:\Windows\SysWOW64\shell.exe
  C:\Windows\system32\shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\msdto.exe
    C:\Windows\system32\msdto.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Windows\SysWOW64\shell.exe
    C:\Windows\system32\shell.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\cstrike.exe
    C:\Windows\system32\cstrike.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;3040
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
- C:\Windows\SysWOW64\cstrike.exe
  C:\Windows\system32\cstrike.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1504
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\msdto.exe
    C:\Windows\system32\msdto.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2752
  - - C:\Windows\SysWOW64\msdto.exe
      C:\Windows\system32\msdto.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:352
  - - C:\Windows\SysWOW64\shell.exe
      C:\Windows\system32\shell.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:288
  - - C:\Windows\SysWOW64\cstrike.exe
      C:\Windows\system32\cstrike.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1636
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1636
        5⤵
        
        PID:2376
- - C:\Windows\SysWOW64\shell.exe
    C:\Windows\system32\shell.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2512
  - - C:\Windows\SysWOW64\msdto.exe
      C:\Windows\system32\msdto.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1668
  - - C:\Windows\SysWOW64\shell.exe
      C:\Windows\system32\shell.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1700
  - - C:\Windows\SysWOW64\cstrike.exe
      C:\Windows\system32\cstrike.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2772
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2772
        5⤵
        
        PID:2580
- - C:\Windows\SysWOW64\cstrike.exe
    C:\Windows\system32\cstrike.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1572
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1572
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2940
  - - C:\Windows\SysWOW64\msdto.exe
      C:\Windows\system32\msdto.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2224
    - - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1680
    - - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1864
    - - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2468
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2468
        6⤵
        
        PID:2556
  - - C:\Windows\SysWOW64\shell.exe
      C:\Windows\system32\shell.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:836
    - - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1056
    - - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2132
    - - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2476
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2476
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
  - - C:\Windows\SysWOW64\cstrike.exe
      C:\Windows\system32\cstrike.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2088
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2088
        5⤵
        Blocklisted process makes network request
        Modifies registry class
        
        PID:3016
    - - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1440
      - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
      - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
      - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1884
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
    - - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
      - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
      - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;3008
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
    - - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2800
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2800
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
      - C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2496
        8⤵
        
        PID:2352
      - C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2764
        8⤵
        
        PID:3056
      - C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2096
        7⤵
        Blocklisted process makes network request
        
        PID:1948
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2148
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;2996
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1336
        8⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1944
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\msdto.exe
        
        C:\Windows\system32\msdto.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\shell.exe
        
        C:\Windows\system32\shell.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;536
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cstrike.exe
        
        C:\Windows\system32\cstrike.exe
        8⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {485560be-5c80-4465-aeda-e2b95d0608c0};C:\Windows\SysWOW64\cstrike.exe;1716
        9⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msdto.exe

Filesize
15KB

MD5
e275fcb2a73abf7c093ec464bcdb176f

SHA1
1cf65797345e5250de7669528d6fef8dbc9479a0

SHA256
432ef4a50213cba3dd785700715e615c902a06b740b906fb3ac5a8aaaa7d2d23

SHA512
9edb8c6abbb0dcf5888d1994befbd80465639139af42ae5be8d2690cc85d227c295b5d61ecd799e913e716d3634c963bee8a6763cd21dc5e3d422f1d03ff42a1

Download Submit
memory/288-154-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/352-140-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/536-360-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/836-207-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/836-215-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/836-221-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/836-198-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1036-109-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1056-202-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1056-200-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1196-343-0x0000000000520000-0x000000000052D000-memory.dmp

Filesize
52KB

Download
memory/1440-245-0x0000000001D50000-0x0000000001D5D000-memory.dmp

Filesize
52KB

Download
memory/1440-229-0x0000000001D50000-0x0000000001D5D000-memory.dmp

Filesize
52KB

Download
memory/1440-230-0x0000000001D50000-0x0000000001D5D000-memory.dmp

Filesize
52KB

Download
memory/1440-236-0x0000000001D50000-0x0000000001D5D000-memory.dmp

Filesize
52KB

Download
memory/1504-185-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1504-183-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1504-164-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1504-130-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1504-129-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1504-143-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1564-69-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1564-124-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1564-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1564-18-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1564-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1564-17-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1564-41-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/1564-253-0x0000000000840000-0x000000000084D000-memory.dmp

Filesize
52KB

Download
memory/1564-122-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1572-195-0x0000000001D30000-0x0000000001D3D000-memory.dmp

Filesize
52KB

Download
memory/1572-224-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1572-222-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1636-171-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1664-281-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1680-194-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1712-268-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/1868-95-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1884-252-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1892-238-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1892-240-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1908-83-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1944-121-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1944-91-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/1944-115-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/2008-311-0x0000000000770000-0x000000000077D000-memory.dmp

Filesize
52KB

Download
memory/2008-304-0x0000000000770000-0x000000000077D000-memory.dmp

Filesize
52KB

Download
memory/2028-249-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2056-282-0x00000000025B0000-0x00000000025BD000-memory.dmp

Filesize
52KB

Download
memory/2056-296-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2088-261-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2088-259-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2088-244-0x00000000004F0000-0x00000000004FD000-memory.dmp

Filesize
52KB

Download
memory/2096-308-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2096-319-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2096-335-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2132-211-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2136-323-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2220-74-0x0000000000C40000-0x0000000000C44000-memory.dmp

Filesize
16KB

Download
memory/2224-203-0x0000000001D70000-0x0000000001D7D000-memory.dmp

Filesize
52KB

Download
memory/2224-190-0x0000000001D70000-0x0000000001D7D000-memory.dmp

Filesize
52KB

Download
memory/2348-365-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2348-347-0x0000000001B70000-0x0000000001B7D000-memory.dmp

Filesize
52KB

Download
memory/2432-29-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2468-214-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2476-218-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2496-289-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2512-172-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/2512-182-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2512-157-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/2696-111-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2696-48-0x0000000001E50000-0x0000000001E5D000-memory.dmp

Filesize
52KB

Download
memory/2696-43-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2696-79-0x0000000001E50000-0x0000000001E5D000-memory.dmp

Filesize
52KB

Download
memory/2700-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2700-27-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/2700-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2700-26-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/2700-57-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/2748-119-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2752-176-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2752-149-0x0000000001FA0000-0x0000000001FAD000-memory.dmp

Filesize
52KB

Download
memory/2764-293-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2768-53-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2772-180-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2800-299-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2800-297-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2800-265-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2800-272-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2800-264-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2896-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2956-318-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2996-330-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3040-101-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads