modiloader | 797a4dd8713d7b0c1441ca179aba4e57c0dde00de7da5590ba14ee95a7cf75a8

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
Size

718KB
MD5

f539d74f22684ccfb28ea4527f3964fb
SHA1

fbe836d5344518a1b79737cb93c8847a1e73c837
SHA256

797a4dd8713d7b0c1441ca179aba4e57c0dde00de7da5590ba14ee95a7cf75a8
SHA512

2104bd11ee98f2a23b607b4ddcf2a2cdcd843b85699736a3312b62eb9b2121faebdbcdb5b55e7793f7997e97f1b94e07e523512850364e60e1522ba491c88d25
SSDEEP

12288:DgDGtHX0KJYVihEF6fDFeOeYc8S2FHJGX1rLVtigTOpXODH3UqCILsmoK:cDGtHz2sdneYc8Dp41rLVtigixOCSoK

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2352-2-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/files/0x0007000000012117-6.dat	modiloader_stage2
behavioral1/memory/2352-16-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2556-14-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2556-21-0x0000000003D30000-0x0000000003DF1000-memory.dmp	modiloader_stage2
behavioral1/memory/2556-24-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-30-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/3004-29-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-33-0x0000000005390000-0x0000000005451000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-37-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-35-0x0000000005390000-0x0000000005451000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-40-0x0000000005560000-0x0000000005621000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-43-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-47-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2696-49-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-52-0x0000000003E80000-0x0000000003F41000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-55-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1844-60-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/796-65-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-70-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/352-75-0x0000000003E40000-0x0000000003F01000-memory.dmp	modiloader_stage2
behavioral1/memory/352-77-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1572-81-0x0000000003BB0000-0x0000000003C71000-memory.dmp	modiloader_stage2
behavioral1/memory/2308-83-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1572-80-0x0000000003BB0000-0x0000000003C71000-memory.dmp	modiloader_stage2
behavioral1/memory/1572-85-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2308-89-0x0000000003D60000-0x0000000003E21000-memory.dmp	modiloader_stage2
behavioral1/memory/2308-92-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1036-98-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1036-95-0x0000000003FC0000-0x0000000004081000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-103-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2164-102-0x0000000003CC0000-0x0000000003D81000-memory.dmp	modiloader_stage2
behavioral1/memory/2164-105-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-108-0x0000000003D80000-0x0000000003E41000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-112-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-109-0x0000000003D80000-0x0000000003E41000-memory.dmp	modiloader_stage2
behavioral1/memory/1320-115-0x0000000005360000-0x0000000005421000-memory.dmp	modiloader_stage2
behavioral1/memory/1320-117-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1700-118-0x00000000054E0000-0x00000000055A1000-memory.dmp	modiloader_stage2
behavioral1/memory/900-119-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1700-121-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/900-123-0x0000000003BC0000-0x0000000003C81000-memory.dmp	modiloader_stage2
behavioral1/memory/900-122-0x0000000003BC0000-0x0000000003C81000-memory.dmp	modiloader_stage2
behavioral1/memory/900-125-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2076-127-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1432-129-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1768-131-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/3008-134-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-132-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2536-136-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2392-138-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2772-140-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2776-142-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1904-145-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-143-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-146-0x0000000003E70000-0x0000000003F31000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-148-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-149-0x0000000003E20000-0x0000000003EE1000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-151-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-153-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/988-155-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-154-0x0000000005580000-0x0000000005641000-memory.dmp	modiloader_stage2
behavioral1/memory/988-157-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
2556	reda.exe
3004	reda.exe
2920	reda.exe
2668	reda.exe
2696	reda.exe
2192	reda.exe
1844	reda.exe
796	reda.exe
2608	reda.exe
352	reda.exe
1572	reda.exe
2308	reda.exe
1036	reda.exe
2164	reda.exe
2320	reda.exe
1320	reda.exe
1700	reda.exe
900	reda.exe
2076	reda.exe
1432	reda.exe
1768	reda.exe
3008	reda.exe
2536	reda.exe
2392	reda.exe
2772	reda.exe
2776	reda.exe
1904	reda.exe
2644	reda.exe
2640	reda.exe
2152	reda.exe
988	reda.exe
2228	reda.exe
108	reda.exe
2016	reda.exe
3056	reda.exe
2028	reda.exe
2420	reda.exe
588	reda.exe
540	reda.exe
916	reda.exe
544	reda.exe
2164	reda.exe
956	reda.exe
1884	reda.exe
1620	reda.exe
1664	reda.exe
2548	reda.exe
1324	reda.exe
2132	reda.exe
2492	reda.exe
2128	reda.exe
2056	reda.exe
2724	reda.exe
2836	reda.exe
2252	reda.exe
2776	reda.exe
2944	reda.exe
2840	reda.exe
1932	reda.exe
2072	reda.exe
852	reda.exe
2968	reda.exe
2004	reda.exe
2000	reda.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe

Loads dropped DLL 64 IoCs

pid	Process
2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
2556	reda.exe
2556	reda.exe
3004	reda.exe
3004	reda.exe
2920	reda.exe
2920	reda.exe
2668	reda.exe
2668	reda.exe
2696	reda.exe
2696	reda.exe
2192	reda.exe
2192	reda.exe
1844	reda.exe
1844	reda.exe
796	reda.exe
796	reda.exe
2608	reda.exe
2608	reda.exe
352	reda.exe
352	reda.exe
1572	reda.exe
1572	reda.exe
2308	reda.exe
2308	reda.exe
1036	reda.exe
1036	reda.exe
2164	reda.exe
2164	reda.exe
2320	reda.exe
2320	reda.exe
1320	reda.exe
1320	reda.exe
1700	reda.exe
1700	reda.exe
900	reda.exe
900	reda.exe
2076	reda.exe
2076	reda.exe
1432	reda.exe
1432	reda.exe
1768	reda.exe
1768	reda.exe
3008	reda.exe
3008	reda.exe
2536	reda.exe
2536	reda.exe
2392	reda.exe
2392	reda.exe
2772	reda.exe
2772	reda.exe
2776	reda.exe
2776	reda.exe
1904	reda.exe
1904	reda.exe
2644	reda.exe
2644	reda.exe
2640	reda.exe
2640	reda.exe
2152	reda.exe
2152	reda.exe
988	reda.exe
988	reda.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\reda4 = "C:\\Windows\\system32\\reda.exe"	reda.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File opened for modification	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe
File created	C:\Windows\SysWOW64\reda.exe	reda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2556	2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2556	2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2556	2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2556	2352	f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe	30
PID 2556 wrote to memory of 3004	2556	reda.exe	31
PID 2556 wrote to memory of 3004	2556	reda.exe	31
PID 2556 wrote to memory of 3004	2556	reda.exe	31
PID 2556 wrote to memory of 3004	2556	reda.exe	31
PID 3004 wrote to memory of 2920	3004	reda.exe	32
PID 3004 wrote to memory of 2920	3004	reda.exe	32
PID 3004 wrote to memory of 2920	3004	reda.exe	32
PID 3004 wrote to memory of 2920	3004	reda.exe	32
PID 2920 wrote to memory of 2668	2920	reda.exe	33
PID 2920 wrote to memory of 2668	2920	reda.exe	33
PID 2920 wrote to memory of 2668	2920	reda.exe	33
PID 2920 wrote to memory of 2668	2920	reda.exe	33
PID 2668 wrote to memory of 2696	2668	reda.exe	34
PID 2668 wrote to memory of 2696	2668	reda.exe	34
PID 2668 wrote to memory of 2696	2668	reda.exe	34
PID 2668 wrote to memory of 2696	2668	reda.exe	34
PID 2696 wrote to memory of 2192	2696	reda.exe	35
PID 2696 wrote to memory of 2192	2696	reda.exe	35
PID 2696 wrote to memory of 2192	2696	reda.exe	35
PID 2696 wrote to memory of 2192	2696	reda.exe	35
PID 2192 wrote to memory of 1844	2192	reda.exe	36
PID 2192 wrote to memory of 1844	2192	reda.exe	36
PID 2192 wrote to memory of 1844	2192	reda.exe	36
PID 2192 wrote to memory of 1844	2192	reda.exe	36
PID 1844 wrote to memory of 796	1844	reda.exe	37
PID 1844 wrote to memory of 796	1844	reda.exe	37
PID 1844 wrote to memory of 796	1844	reda.exe	37
PID 1844 wrote to memory of 796	1844	reda.exe	37
PID 796 wrote to memory of 2608	796	reda.exe	38
PID 796 wrote to memory of 2608	796	reda.exe	38
PID 796 wrote to memory of 2608	796	reda.exe	38
PID 796 wrote to memory of 2608	796	reda.exe	38
PID 2608 wrote to memory of 352	2608	reda.exe	39
PID 2608 wrote to memory of 352	2608	reda.exe	39
PID 2608 wrote to memory of 352	2608	reda.exe	39
PID 2608 wrote to memory of 352	2608	reda.exe	39
PID 352 wrote to memory of 1572	352	reda.exe	40
PID 352 wrote to memory of 1572	352	reda.exe	40
PID 352 wrote to memory of 1572	352	reda.exe	40
PID 352 wrote to memory of 1572	352	reda.exe	40
PID 1572 wrote to memory of 2308	1572	reda.exe	41
PID 1572 wrote to memory of 2308	1572	reda.exe	41
PID 1572 wrote to memory of 2308	1572	reda.exe	41
PID 1572 wrote to memory of 2308	1572	reda.exe	41
PID 2308 wrote to memory of 1036	2308	reda.exe	42
PID 2308 wrote to memory of 1036	2308	reda.exe	42
PID 2308 wrote to memory of 1036	2308	reda.exe	42
PID 2308 wrote to memory of 1036	2308	reda.exe	42
PID 1036 wrote to memory of 2164	1036	reda.exe	43
PID 1036 wrote to memory of 2164	1036	reda.exe	43
PID 1036 wrote to memory of 2164	1036	reda.exe	43
PID 1036 wrote to memory of 2164	1036	reda.exe	43
PID 2164 wrote to memory of 2320	2164	reda.exe	44
PID 2164 wrote to memory of 2320	2164	reda.exe	44
PID 2164 wrote to memory of 2320	2164	reda.exe	44
PID 2164 wrote to memory of 2320	2164	reda.exe	44
PID 2320 wrote to memory of 1320	2320	reda.exe	45
PID 2320 wrote to memory of 1320	2320	reda.exe	45
PID 2320 wrote to memory of 1320	2320	reda.exe	45
PID 2320 wrote to memory of 1320	2320	reda.exe	45

C:\Users\Admin\AppData\Local\Temp\f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f539d74f22684ccfb28ea4527f3964fb_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\reda.exe
  "C:\Windows\system32\reda.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\reda.exe
    "C:\Windows\system32\reda.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\reda.exe
      "C:\Windows\system32\reda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1320
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1432
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3008
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2536
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2776
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1904
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2152
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:988
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        33⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        35⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        37⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2420
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        45⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        46⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        47⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        49⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        50⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2724
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        58⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1932
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        61⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        62⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2000
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        66⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        67⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        68⤵
        Adds Run key to start application
        
        PID:2956
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        69⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        71⤵
        Adds Run key to start application
        
        PID:1112
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        73⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        74⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        75⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        76⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        78⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        81⤵
        Adds Run key to start application
        
        PID:1448
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        82⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        83⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        85⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        86⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        88⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        89⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        93⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        94⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        96⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        97⤵
        Adds Run key to start application
        
        PID:2016
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        98⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        99⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        101⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        102⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        104⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        105⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        106⤵
        Adds Run key to start application
        
        PID:1544
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        107⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        108⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        109⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        110⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        111⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        115⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        116⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        117⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        118⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        120⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        123⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        124⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        126⤵
        Adds Run key to start application
        
        PID:2672
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        128⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        129⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        130⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        131⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        132⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        133⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        134⤵
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        135⤵
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        137⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        138⤵
        Adds Run key to start application
        
        PID:1096
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        139⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        142⤵
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        144⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        146⤵
        Adds Run key to start application
        
        PID:2204
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        147⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        148⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        150⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        151⤵
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        152⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        153⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        154⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        155⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        157⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        158⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        159⤵
        Adds Run key to start application
        
        PID:2672
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        160⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        161⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        162⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        163⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        164⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        165⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        166⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        167⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        169⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        170⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        171⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        172⤵
        Adds Run key to start application
        
        PID:868
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        174⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        175⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        176⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        177⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        179⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        180⤵
        Adds Run key to start application
        
        PID:3008
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        181⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        182⤵
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        183⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        185⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        186⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        187⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        188⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        190⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        191⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        192⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        193⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        194⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reda.exe
        
        "C:\Windows\system32\reda.exe"
        195⤵
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\reda.exe

Filesize
718KB

MD5
f539d74f22684ccfb28ea4527f3964fb

SHA1
fbe836d5344518a1b79737cb93c8847a1e73c837

SHA256
797a4dd8713d7b0c1441ca179aba4e57c0dde00de7da5590ba14ee95a7cf75a8

SHA512
2104bd11ee98f2a23b607b4ddcf2a2cdcd843b85699736a3312b62eb9b2121faebdbcdb5b55e7793f7997e97f1b94e07e523512850364e60e1522ba491c88d25

Download Submit
memory/108-162-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/352-77-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/352-75-0x0000000003E40000-0x0000000003F01000-memory.dmp

Filesize
772KB

Download
memory/540-175-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/544-180-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/588-173-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/796-65-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/852-203-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/900-125-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/900-122-0x0000000003BC0000-0x0000000003C81000-memory.dmp

Filesize
772KB

Download
memory/900-123-0x0000000003BC0000-0x0000000003C81000-memory.dmp

Filesize
772KB

Download
memory/900-119-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/916-177-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/956-184-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/988-157-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/988-155-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1036-98-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1036-95-0x0000000003FC0000-0x0000000004081000-memory.dmp

Filesize
772KB

Download
memory/1320-117-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1320-115-0x0000000005360000-0x0000000005421000-memory.dmp

Filesize
772KB

Download
memory/1324-190-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1432-129-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1572-81-0x0000000003BB0000-0x0000000003C71000-memory.dmp

Filesize
772KB

Download
memory/1572-80-0x0000000003BB0000-0x0000000003C71000-memory.dmp

Filesize
772KB

Download
memory/1572-85-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1620-187-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1664-188-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1700-118-0x00000000054E0000-0x00000000055A1000-memory.dmp

Filesize
772KB

Download
memory/1700-121-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1768-131-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1844-60-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1884-186-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1904-145-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1932-201-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2004-205-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2016-163-0x0000000004170000-0x0000000004231000-memory.dmp

Filesize
772KB

Download
memory/2016-165-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2016-160-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2028-169-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2056-194-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2072-202-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2076-127-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2128-193-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2132-191-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2152-154-0x0000000005580000-0x0000000005641000-memory.dmp

Filesize
772KB

Download
memory/2152-153-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2164-105-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2164-182-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2164-178-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2164-102-0x0000000003CC0000-0x0000000003D81000-memory.dmp

Filesize
772KB

Download
memory/2192-47-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2192-52-0x0000000003E80000-0x0000000003F41000-memory.dmp

Filesize
772KB

Download
memory/2192-55-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2228-159-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2252-197-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2308-92-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2308-83-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2308-89-0x0000000003D60000-0x0000000003E21000-memory.dmp

Filesize
772KB

Download
memory/2320-103-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2320-108-0x0000000003D80000-0x0000000003E41000-memory.dmp

Filesize
772KB

Download
memory/2320-109-0x0000000003D80000-0x0000000003E41000-memory.dmp

Filesize
772KB

Download
memory/2320-112-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2352-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2352-2-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2352-12-0x0000000003EF0000-0x0000000003FB1000-memory.dmp

Filesize
772KB

Download
memory/2352-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2352-1-0x0000000000401000-0x000000000047F000-memory.dmp

Filesize
504KB

Download
memory/2392-138-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-171-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2492-192-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2536-136-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2536-132-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2548-189-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2556-24-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2556-20-0x0000000003D30000-0x0000000003DF1000-memory.dmp

Filesize
772KB

Download
memory/2556-21-0x0000000003D30000-0x0000000003DF1000-memory.dmp

Filesize
772KB

Download
memory/2556-14-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2608-70-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2640-151-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2640-149-0x0000000003E20000-0x0000000003EE1000-memory.dmp

Filesize
772KB

Download
memory/2644-148-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2644-143-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2644-146-0x0000000003E70000-0x0000000003F31000-memory.dmp

Filesize
772KB

Download
memory/2668-40-0x0000000005560000-0x0000000005621000-memory.dmp

Filesize
772KB

Download
memory/2668-43-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2696-49-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2724-195-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2772-140-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2776-198-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2776-142-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2836-196-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2840-200-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2920-37-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2920-30-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2920-33-0x0000000005390000-0x0000000005451000-memory.dmp

Filesize
772KB

Download
memory/2920-35-0x0000000005390000-0x0000000005451000-memory.dmp

Filesize
772KB

Download
memory/2944-199-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2968-204-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3004-29-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3008-134-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3056-167-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads