cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Size

376KB
MD5

ed7106c2fe2aaa98b9c79c264f5061e5
SHA1

760e2e1e1f6527752443cd28e6b78da10a5a84fc
SHA256

cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd
SHA512

071ca7b0745d95d9ff6325a7939288a346b8dec66b5e606a65fb71e4b80eb712ca7e5a478ef95e4107d3ad91294fd3113302b0735d3c94f0b548406f5392ea9c
SSDEEP

3072:+sJlOGa8bJl3VmP5t5Y5t5o5t5P5t5PyJ4:+87jMP7+767p7

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe

Executes dropped EXE 64 IoCs

pid	Process
2132	Fun.exe
2736	SVIQ.EXE
2444	dc.exe
2440	Fun.exe
2524	SVIQ.EXE
1200	Fun.exe
2120	SVIQ.EXE
1976	Fun.exe
1760	SVIQ.EXE
2852	Fun.exe
1476	SVIQ.EXE
2972	Fun.exe
1240	SVIQ.EXE
1608	Fun.exe
2092	SVIQ.EXE
2656	Fun.exe
2824	SVIQ.EXE
2748	Fun.exe
2180	SVIQ.EXE
1952	Fun.exe
1972	SVIQ.EXE
2364	Fun.exe
2020	SVIQ.EXE
2856	Fun.exe
1536	SVIQ.EXE
1264	Fun.exe
1320	SVIQ.EXE
2780	Fun.exe
2472	SVIQ.EXE
2384	Fun.exe
3052	SVIQ.EXE
996	Fun.exe
2328	SVIQ.EXE
1732	Fun.exe
1356	Fun.exe
2092	Fun.exe
2124	SVIQ.EXE
2804	Fun.exe
2240	SVIQ.EXE
2844	Fun.exe
2668	Fun.exe
680	Fun.exe
2748	Fun.exe
324	Fun.exe
1940	Fun.exe
948	Fun.exe
2036	SVIQ.EXE
1568	Fun.exe
2200	SVIQ.EXE
2756	Fun.exe
1200	Fun.exe
2164	Fun.exe
1804	Fun.exe
1528	Fun.exe
1596	Fun.exe
696	Fun.exe
2152	SVIQ.EXE
1212	Fun.exe
1292	SVIQ.EXE
2588	Fun.exe
3040	SVIQ.EXE
1500	Fun.exe
1680	Fun.exe
2284	Fun.exe

Loads dropped DLL 64 IoCs

pid	Process
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2444	dc.exe
2736	SVIQ.EXE
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File created	C:\Windows\SysWOW64\config\Win.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	dc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2132	Fun.exe
2736	SVIQ.EXE
2444	dc.exe
2132	Fun.exe
2736	SVIQ.EXE
2444	dc.exe
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2132	Fun.exe
2736	SVIQ.EXE
2444	dc.exe
2440	Fun.exe
2524	SVIQ.EXE
2736	SVIQ.EXE
1200	Fun.exe
2120	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
1976	Fun.exe
1760	SVIQ.EXE
2444	dc.exe
2736	SVIQ.EXE
2444	dc.exe
2852	Fun.exe
1476	SVIQ.EXE
2444	dc.exe
2972	Fun.exe
2736	SVIQ.EXE
1240	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
1608	Fun.exe
2092	SVIQ.EXE
2444	dc.exe
2656	Fun.exe
2824	SVIQ.EXE
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2748	Fun.exe
2180	SVIQ.EXE
2444	dc.exe
1952	Fun.exe
1972	SVIQ.EXE
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2364	Fun.exe
2020	SVIQ.EXE
2444	dc.exe
2856	Fun.exe
2736	SVIQ.EXE
1536	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
1264	Fun.exe
1320	SVIQ.EXE
2444	dc.exe
2780	Fun.exe
2736	SVIQ.EXE
2472	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
2132	Fun.exe
2132	Fun.exe
2736	SVIQ.EXE
2736	SVIQ.EXE
2444	dc.exe
2444	dc.exe
2440	Fun.exe
2440	Fun.exe
2524	SVIQ.EXE
2524	SVIQ.EXE
1200	Fun.exe
1200	Fun.exe
2120	SVIQ.EXE
2120	SVIQ.EXE
1976	Fun.exe
1976	Fun.exe
1760	SVIQ.EXE
1760	SVIQ.EXE
2852	Fun.exe
2852	Fun.exe
1476	SVIQ.EXE
1476	SVIQ.EXE
2972	Fun.exe
2972	Fun.exe
1240	SVIQ.EXE
1240	SVIQ.EXE
1608	Fun.exe
1608	Fun.exe
2092	SVIQ.EXE
2092	SVIQ.EXE
2656	Fun.exe
2656	Fun.exe
2824	SVIQ.EXE
2824	SVIQ.EXE
2748	Fun.exe
2748	Fun.exe
2180	SVIQ.EXE
2180	SVIQ.EXE
1952	Fun.exe
1952	Fun.exe
1972	SVIQ.EXE
1972	SVIQ.EXE
2364	Fun.exe
2364	Fun.exe
2020	SVIQ.EXE
2020	SVIQ.EXE
2856	Fun.exe
2856	Fun.exe
1536	SVIQ.EXE
1536	SVIQ.EXE
1264	Fun.exe
1264	Fun.exe
1320	SVIQ.EXE
1320	SVIQ.EXE
2780	Fun.exe
2780	Fun.exe
2472	SVIQ.EXE
2472	SVIQ.EXE
2384	Fun.exe
2384	Fun.exe
3052	SVIQ.EXE
3052	SVIQ.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2132	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2132	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2132	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2132	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2736	2132	Fun.exe	32
PID 2132 wrote to memory of 2736	2132	Fun.exe	32
PID 2132 wrote to memory of 2736	2132	Fun.exe	32
PID 2132 wrote to memory of 2736	2132	Fun.exe	32
PID 2100 wrote to memory of 2444	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2444	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2444	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2444	2100	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	33
PID 2444 wrote to memory of 2440	2444	dc.exe	36
PID 2444 wrote to memory of 2440	2444	dc.exe	36
PID 2444 wrote to memory of 2440	2444	dc.exe	36
PID 2444 wrote to memory of 2440	2444	dc.exe	36
PID 2440 wrote to memory of 2524	2440	Fun.exe	37
PID 2440 wrote to memory of 2524	2440	Fun.exe	37
PID 2440 wrote to memory of 2524	2440	Fun.exe	37
PID 2440 wrote to memory of 2524	2440	Fun.exe	37
PID 2736 wrote to memory of 1200	2736	SVIQ.EXE	38
PID 2736 wrote to memory of 1200	2736	SVIQ.EXE	38
PID 2736 wrote to memory of 1200	2736	SVIQ.EXE	38
PID 2736 wrote to memory of 1200	2736	SVIQ.EXE	38
PID 1200 wrote to memory of 2120	1200	Fun.exe	39
PID 1200 wrote to memory of 2120	1200	Fun.exe	39
PID 1200 wrote to memory of 2120	1200	Fun.exe	39
PID 1200 wrote to memory of 2120	1200	Fun.exe	39
PID 2736 wrote to memory of 1976	2736	SVIQ.EXE	40
PID 2736 wrote to memory of 1976	2736	SVIQ.EXE	40
PID 2736 wrote to memory of 1976	2736	SVIQ.EXE	40
PID 2736 wrote to memory of 1976	2736	SVIQ.EXE	40
PID 1976 wrote to memory of 1760	1976	Fun.exe	41
PID 1976 wrote to memory of 1760	1976	Fun.exe	41
PID 1976 wrote to memory of 1760	1976	Fun.exe	41
PID 1976 wrote to memory of 1760	1976	Fun.exe	41
PID 2736 wrote to memory of 2852	2736	SVIQ.EXE	42
PID 2736 wrote to memory of 2852	2736	SVIQ.EXE	42
PID 2736 wrote to memory of 2852	2736	SVIQ.EXE	42
PID 2736 wrote to memory of 2852	2736	SVIQ.EXE	42
PID 2852 wrote to memory of 1476	2852	Fun.exe	43
PID 2852 wrote to memory of 1476	2852	Fun.exe	43
PID 2852 wrote to memory of 1476	2852	Fun.exe	43
PID 2852 wrote to memory of 1476	2852	Fun.exe	43
PID 2444 wrote to memory of 2972	2444	dc.exe	44
PID 2444 wrote to memory of 2972	2444	dc.exe	44
PID 2444 wrote to memory of 2972	2444	dc.exe	44
PID 2444 wrote to memory of 2972	2444	dc.exe	44
PID 2972 wrote to memory of 1240	2972	Fun.exe	45
PID 2972 wrote to memory of 1240	2972	Fun.exe	45
PID 2972 wrote to memory of 1240	2972	Fun.exe	45
PID 2972 wrote to memory of 1240	2972	Fun.exe	45
PID 2736 wrote to memory of 1608	2736	SVIQ.EXE	46
PID 2736 wrote to memory of 1608	2736	SVIQ.EXE	46
PID 2736 wrote to memory of 1608	2736	SVIQ.EXE	46
PID 2736 wrote to memory of 1608	2736	SVIQ.EXE	46
PID 1608 wrote to memory of 2092	1608	Fun.exe	47
PID 1608 wrote to memory of 2092	1608	Fun.exe	47
PID 1608 wrote to memory of 2092	1608	Fun.exe	47
PID 1608 wrote to memory of 2092	1608	Fun.exe	47
PID 2444 wrote to memory of 2656	2444	dc.exe	48
PID 2444 wrote to memory of 2656	2444	dc.exe	48
PID 2444 wrote to memory of 2656	2444	dc.exe	48
PID 2444 wrote to memory of 2656	2444	dc.exe	48

C:\Users\Admin\AppData\Local\Temp\ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2120
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1760
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1476
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2092
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2748
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2180
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2364
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2020
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1264
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1320
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2384
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:1732
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2092
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:680
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:324
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:948
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        
        PID:2036
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1200
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:2164
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:1596
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:1212
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      PID:1680
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      PID:2556
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:3064
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      PID:1888
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1704
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2904
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1980
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:960
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:816
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1360
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      PID:2124
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2092
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:316
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:808
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2536
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:864
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1520
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2412
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2256
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:2468
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:2072
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2396
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2020
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2228
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:864
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2860
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:960
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2276
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in Windows directory
      PID:336
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1356
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2124
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2052
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2724
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:736
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2400
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
- C:\Windows\dc.exe
  C:\Windows\dc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2524
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1240
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2656
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2824
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1972
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1536
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2780
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2472
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:996
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2328
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:1356
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2804
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2240
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:1568
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:2200
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:1804
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:696
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:2152
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:2588
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:3040
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:1500
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:540
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1756
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2748
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:1540
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2200
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:668
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2436
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:276
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1452
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2772
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2180
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1532
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Windows directory
    PID:1236
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2352
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:944
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    PID:468
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2804
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1872
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1144
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1540
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:964
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:696
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1408
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:996
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    PID:2556
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1016
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1796
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1760
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SVIQ.EXE

Filesize
376KB

MD5
ed7106c2fe2aaa98b9c79c264f5061e5

SHA1
760e2e1e1f6527752443cd28e6b78da10a5a84fc

SHA256
cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd

SHA512
071ca7b0745d95d9ff6325a7939288a346b8dec66b5e606a65fb71e4b80eb712ca7e5a478ef95e4107d3ad91294fd3113302b0735d3c94f0b548406f5392ea9c

Download Submit
C:\Windows\inf\Other.exe

Filesize
63KB

MD5
445d57d80e3f6e3ba91b93f349b13b81

SHA1
753805a118fdc3ab62f6d295211846f003489a22

SHA256
aced2b231e850f4603777a320a3dd199b423289ad84917fa6ac799a09b9d5aec

SHA512
8ad9cc79443c51780c0e82854ee9844ae4f6932ad8e4ab4567a352cc6e3cc9d2ba674b4146de6df1473935ef2268e101ef5ebaffda1740af955d75b11a847cb7

Download Submit
C:\Windows\wininit.ini

Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
memory/948-497-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/996-410-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/996-405-0x00000000004A0000-0x000000000051A000-memory.dmp

Filesize
488KB

Download
memory/1200-154-0x0000000003910000-0x000000000398A000-memory.dmp

Filesize
488KB

Download
memory/1200-153-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1240-230-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1264-354-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1264-355-0x0000000003910000-0x000000000398A000-memory.dmp

Filesize
488KB

Download
memory/1292-574-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1320-353-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1476-205-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1528-534-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1536-334-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1568-515-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1568-511-0x0000000002590000-0x000000000260A000-memory.dmp

Filesize
488KB

Download
memory/1596-539-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1680-601-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1680-599-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1760-178-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1940-479-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-300-0x0000000003960000-0x00000000039DA000-memory.dmp

Filesize
488KB

Download
memory/1952-299-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-294-0x0000000003960000-0x00000000039DA000-memory.dmp

Filesize
488KB

Download
memory/1972-298-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1976-179-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1976-180-0x0000000003850000-0x00000000038CA000-memory.dmp

Filesize
488KB

Download
memory/2036-496-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2092-249-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2092-435-0x0000000003950000-0x00000000039CA000-memory.dmp

Filesize
488KB

Download
memory/2092-246-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2092-436-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2100-81-0x0000000002790000-0x000000000280A000-memory.dmp

Filesize
488KB

Download
memory/2100-27-0x0000000002790000-0x000000000280A000-memory.dmp

Filesize
488KB

Download
memory/2100-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2100-99-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2120-152-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2124-434-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2132-100-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2132-101-0x0000000002730000-0x00000000027AA000-memory.dmp

Filesize
488KB

Download
memory/2180-281-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2200-514-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2284-609-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2328-409-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-313-0x00000000038F0000-0x000000000396A000-memory.dmp

Filesize
488KB

Download
memory/2364-317-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2384-392-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2384-388-0x00000000037F0000-0x000000000386A000-memory.dmp

Filesize
488KB

Download
memory/2440-123-0x0000000003820000-0x000000000389A000-memory.dmp

Filesize
488KB

Download
memory/2440-128-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2444-517-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-318-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-103-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-375-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2444-541-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-356-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-593-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-575-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-437-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-480-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-516-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-454-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-458-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-540-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2444-465-0x0000000001DF0000-0x0000000001E6A000-memory.dmp

Filesize
488KB

Download
memory/2524-127-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2556-640-0x00000000038A0000-0x000000000391A000-memory.dmp

Filesize
488KB

Download
memory/2588-588-0x0000000003940000-0x00000000039BA000-memory.dmp

Filesize
488KB

Download
memory/2588-592-0x0000000003940000-0x00000000039BA000-memory.dmp

Filesize
488KB

Download
memory/2668-464-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2700-626-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2736-374-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2736-557-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-627-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-622-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-455-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-602-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-337-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-525-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-430-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-411-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-373-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-498-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2736-558-0x0000000002550000-0x00000000025CA000-memory.dmp

Filesize
488KB

Download
memory/2748-472-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2756-524-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2780-372-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2804-453-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2824-265-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2844-463-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2852-206-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2852-201-0x0000000002620000-0x000000000269A000-memory.dmp

Filesize
488KB

Download
memory/2852-207-0x0000000002620000-0x000000000269A000-memory.dmp

Filesize
488KB

Download
memory/2856-335-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2856-336-0x00000000026D0000-0x000000000274A000-memory.dmp

Filesize
488KB

Download
memory/2972-226-0x00000000026A0000-0x000000000271A000-memory.dmp

Filesize
488KB

Download
memory/2972-232-0x00000000026A0000-0x000000000271A000-memory.dmp

Filesize
488KB

Download
memory/2972-231-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download