modiloader | 01d131693f0ab79b803e249a760b173abaf1ff5c837623d2e0d7e64882a20c27

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
Size

65KB
MD5

859faeba19d64c6d79585ec77103f541
SHA1

fd66f0d783741b99d3b1606877e90c1631530928
SHA256

01d131693f0ab79b803e249a760b173abaf1ff5c837623d2e0d7e64882a20c27
SHA512

1fcaebbceef41b9560a8cc31d92bdb62c960cc7ee064fd771fc6c3a616d1ba6c580e5ba755c95668f3e89d4086868ff7f0ca30d8f4e3c6a58a58339d2e1fd4a3
SSDEEP

768:6TQrdTS2fDx1PTKZ3f9zngwJNNrcjmAffI:BdTvDx1W9z34jmAfQ

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/files/0x000b000000012280-3.dat	modiloader_stage2
behavioral1/memory/3032-4-0x0000000000570000-0x0000000000582000-memory.dmp	modiloader_stage2
behavioral1/memory/3032-12-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-18-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-17-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/3056-24-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-23-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2332-21-0x0000000000540000-0x0000000000552000-memory.dmp	modiloader_stage2
behavioral1/memory/3056-28-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2568-29-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2568-32-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2816-36-0x0000000000530000-0x0000000000542000-memory.dmp	modiloader_stage2
behavioral1/memory/2816-38-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-41-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2716-46-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2996-50-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-53-0x00000000003D0000-0x00000000003E2000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-54-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2432-58-0x0000000002080000-0x0000000002092000-memory.dmp	modiloader_stage2
behavioral1/memory/2352-61-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2432-60-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2352-64-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1092-69-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1740-72-0x00000000026A0000-0x00000000026B2000-memory.dmp	modiloader_stage2
behavioral1/memory/1740-74-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/288-78-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2124-81-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-87-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/380-86-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-92-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1540-95-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/292-101-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/292-100-0x0000000002780000-0x0000000002792000-memory.dmp	modiloader_stage2
behavioral1/memory/292-99-0x0000000002780000-0x0000000002792000-memory.dmp	modiloader_stage2
behavioral1/memory/1696-107-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2900-104-0x00000000003D0000-0x00000000003E2000-memory.dmp	modiloader_stage2
behavioral1/memory/1696-108-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2256-109-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2900-110-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2176-111-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2924-112-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1784-113-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1336-115-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/3052-114-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1336-116-0x0000000001FC0000-0x0000000001FD2000-memory.dmp	modiloader_stage2
behavioral1/memory/1336-117-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/768-118-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/344-119-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2136-120-0x0000000000310000-0x0000000000322000-memory.dmp	modiloader_stage2
behavioral1/memory/2136-121-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-122-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1608-125-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2576-127-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2896-131-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2104-133-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2380-134-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2380-132-0x00000000020C0000-0x00000000020D2000-memory.dmp	modiloader_stage2
behavioral1/memory/2112-136-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2104-135-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2648-138-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-139-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/2108-140-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1616-141-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
1728	Keylogger.exe
2332	Keylogger.exe
3056	Keylogger.exe
2568	Keylogger.exe
2816	Keylogger.exe
2220	Keylogger.exe
2716	Keylogger.exe
2996	Keylogger.exe
2720	Keylogger.exe
2432	Keylogger.exe
2352	Keylogger.exe
1092	Keylogger.exe
1740	Keylogger.exe
288	Keylogger.exe
2124	Keylogger.exe
380	Keylogger.exe
1248	Keylogger.exe
1540	Keylogger.exe
292	Keylogger.exe
2900	Keylogger.exe
1696	Keylogger.exe
2256	Keylogger.exe
2176	Keylogger.exe
2924	Keylogger.exe
1784	Keylogger.exe
3052	Keylogger.exe
1336	Keylogger.exe
768	Keylogger.exe
344	Keylogger.exe
2136	Keylogger.exe
1984	Keylogger.exe
1608	Keylogger.exe
2576	Keylogger.exe
2112	Keylogger.exe
2896	Keylogger.exe
2380	Keylogger.exe
2104	Keylogger.exe
2648	Keylogger.exe
2400	Keylogger.exe
2108	Keylogger.exe
1616	Keylogger.exe
2120	Keylogger.exe
2396	Keylogger.exe
2492	Keylogger.exe
2092	Keylogger.exe
2876	Keylogger.exe
1796	Keylogger.exe
3056	Keylogger.exe
2960	Keylogger.exe
2940	Keylogger.exe
3000	Keylogger.exe
2872	Keylogger.exe
2956	Keylogger.exe
2684	Keylogger.exe
2756	Keylogger.exe
2368	Keylogger.exe
2868	Keylogger.exe
2748	Keylogger.exe
632	Keylogger.exe
1692	Keylogger.exe
1800	Keylogger.exe
1812	Keylogger.exe
1120	Keylogger.exe
2392	Keylogger.exe

Loads dropped DLL 64 IoCs

pid	Process
3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
1728	Keylogger.exe
1728	Keylogger.exe
2332	Keylogger.exe
2332	Keylogger.exe
3056	Keylogger.exe
3056	Keylogger.exe
2568	Keylogger.exe
2568	Keylogger.exe
2816	Keylogger.exe
2816	Keylogger.exe
2220	Keylogger.exe
2220	Keylogger.exe
2716	Keylogger.exe
2716	Keylogger.exe
2996	Keylogger.exe
2996	Keylogger.exe
2720	Keylogger.exe
2720	Keylogger.exe
2432	Keylogger.exe
2432	Keylogger.exe
2352	Keylogger.exe
2352	Keylogger.exe
1092	Keylogger.exe
1092	Keylogger.exe
1740	Keylogger.exe
1740	Keylogger.exe
288	Keylogger.exe
288	Keylogger.exe
2124	Keylogger.exe
2124	Keylogger.exe
380	Keylogger.exe
380	Keylogger.exe
1248	Keylogger.exe
1248	Keylogger.exe
1540	Keylogger.exe
1540	Keylogger.exe
292	Keylogger.exe
292	Keylogger.exe
2900	Keylogger.exe
2900	Keylogger.exe
1696	Keylogger.exe
1696	Keylogger.exe
2256	Keylogger.exe
2256	Keylogger.exe
2176	Keylogger.exe
2176	Keylogger.exe
2924	Keylogger.exe
2924	Keylogger.exe
1784	Keylogger.exe
1784	Keylogger.exe
3052	Keylogger.exe
3052	Keylogger.exe
1336	Keylogger.exe
1336	Keylogger.exe
768	Keylogger.exe
768	Keylogger.exe
344	Keylogger.exe
344	Keylogger.exe
2136	Keylogger.exe
2136	Keylogger.exe
1984	Keylogger.exe
1984	Keylogger.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Ie = "C:\\Windows\\SysWOW64\\Keylogger.exe"	Keylogger.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File opened for modification	C:\Windows\SysWOW64\Keylogger.exe	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe
File created	C:\Windows\SysWOW64\Keylogger.exe	Keylogger.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000b000000012280-3.dat	upx
behavioral1/memory/3032-4-0x0000000000570000-0x0000000000582000-memory.dmp	upx
behavioral1/memory/3032-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2332-18-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1728-17-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/3056-24-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2332-23-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/3056-28-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2568-29-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2568-32-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2816-38-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2220-41-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2716-46-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2996-50-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2720-54-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2352-61-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2432-60-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2352-64-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1092-69-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1740-74-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/288-78-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2124-81-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1248-87-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/380-86-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1248-92-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1540-95-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/292-101-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1696-107-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1696-108-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2256-109-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2900-110-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2176-111-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2924-112-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1784-113-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1336-115-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/3052-114-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1336-117-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/768-118-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/344-119-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2136-121-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1984-122-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1608-125-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2576-127-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2896-131-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2104-133-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2380-134-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2112-136-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2104-135-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2648-138-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2400-139-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2108-140-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1616-141-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2120-142-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2396-143-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2492-144-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2092-145-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2092-147-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2876-149-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1796-150-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/3056-151-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2960-153-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2940-155-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/3000-157-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keylogger.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1728	3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1728	3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1728	3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1728	3032	859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2332	1728	Keylogger.exe	31
PID 1728 wrote to memory of 2332	1728	Keylogger.exe	31
PID 1728 wrote to memory of 2332	1728	Keylogger.exe	31
PID 1728 wrote to memory of 2332	1728	Keylogger.exe	31
PID 2332 wrote to memory of 3056	2332	Keylogger.exe	32
PID 2332 wrote to memory of 3056	2332	Keylogger.exe	32
PID 2332 wrote to memory of 3056	2332	Keylogger.exe	32
PID 2332 wrote to memory of 3056	2332	Keylogger.exe	32
PID 3056 wrote to memory of 2568	3056	Keylogger.exe	33
PID 3056 wrote to memory of 2568	3056	Keylogger.exe	33
PID 3056 wrote to memory of 2568	3056	Keylogger.exe	33
PID 3056 wrote to memory of 2568	3056	Keylogger.exe	33
PID 2568 wrote to memory of 2816	2568	Keylogger.exe	35
PID 2568 wrote to memory of 2816	2568	Keylogger.exe	35
PID 2568 wrote to memory of 2816	2568	Keylogger.exe	35
PID 2568 wrote to memory of 2816	2568	Keylogger.exe	35
PID 2816 wrote to memory of 2220	2816	Keylogger.exe	36
PID 2816 wrote to memory of 2220	2816	Keylogger.exe	36
PID 2816 wrote to memory of 2220	2816	Keylogger.exe	36
PID 2816 wrote to memory of 2220	2816	Keylogger.exe	36
PID 2220 wrote to memory of 2716	2220	Keylogger.exe	37
PID 2220 wrote to memory of 2716	2220	Keylogger.exe	37
PID 2220 wrote to memory of 2716	2220	Keylogger.exe	37
PID 2220 wrote to memory of 2716	2220	Keylogger.exe	37
PID 2716 wrote to memory of 2996	2716	Keylogger.exe	38
PID 2716 wrote to memory of 2996	2716	Keylogger.exe	38
PID 2716 wrote to memory of 2996	2716	Keylogger.exe	38
PID 2716 wrote to memory of 2996	2716	Keylogger.exe	38
PID 2996 wrote to memory of 2720	2996	Keylogger.exe	39
PID 2996 wrote to memory of 2720	2996	Keylogger.exe	39
PID 2996 wrote to memory of 2720	2996	Keylogger.exe	39
PID 2996 wrote to memory of 2720	2996	Keylogger.exe	39
PID 2720 wrote to memory of 2432	2720	Keylogger.exe	40
PID 2720 wrote to memory of 2432	2720	Keylogger.exe	40
PID 2720 wrote to memory of 2432	2720	Keylogger.exe	40
PID 2720 wrote to memory of 2432	2720	Keylogger.exe	40
PID 2432 wrote to memory of 2352	2432	Keylogger.exe	41
PID 2432 wrote to memory of 2352	2432	Keylogger.exe	41
PID 2432 wrote to memory of 2352	2432	Keylogger.exe	41
PID 2432 wrote to memory of 2352	2432	Keylogger.exe	41
PID 2352 wrote to memory of 1092	2352	Keylogger.exe	42
PID 2352 wrote to memory of 1092	2352	Keylogger.exe	42
PID 2352 wrote to memory of 1092	2352	Keylogger.exe	42
PID 2352 wrote to memory of 1092	2352	Keylogger.exe	42
PID 1092 wrote to memory of 1740	1092	Keylogger.exe	43
PID 1092 wrote to memory of 1740	1092	Keylogger.exe	43
PID 1092 wrote to memory of 1740	1092	Keylogger.exe	43
PID 1092 wrote to memory of 1740	1092	Keylogger.exe	43
PID 1740 wrote to memory of 288	1740	Keylogger.exe	44
PID 1740 wrote to memory of 288	1740	Keylogger.exe	44
PID 1740 wrote to memory of 288	1740	Keylogger.exe	44
PID 1740 wrote to memory of 288	1740	Keylogger.exe	44
PID 288 wrote to memory of 2124	288	Keylogger.exe	45
PID 288 wrote to memory of 2124	288	Keylogger.exe	45
PID 288 wrote to memory of 2124	288	Keylogger.exe	45
PID 288 wrote to memory of 2124	288	Keylogger.exe	45
PID 2124 wrote to memory of 380	2124	Keylogger.exe	46
PID 2124 wrote to memory of 380	2124	Keylogger.exe	46
PID 2124 wrote to memory of 380	2124	Keylogger.exe	46
PID 2124 wrote to memory of 380	2124	Keylogger.exe	46

C:\Users\Admin\AppData\Local\Temp\859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\859faeba19d64c6d79585ec77103f541_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Keylogger.exe
  "C:\Windows\system32\Keylogger.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\Keylogger.exe
    "C:\Windows\system32\Keylogger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Keylogger.exe
      "C:\Windows\system32\Keylogger.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1248
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:292
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2176
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2924
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1784
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3052
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:768
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2896
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2108
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1616
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2120
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        46⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2876
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        51⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        52⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2872
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        63⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1120
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        65⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        66⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        67⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        69⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        70⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        71⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        72⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        73⤵
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        76⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        77⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        80⤵
        
        PID:692
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        81⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        82⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        83⤵
        Adds Run key to start application
        
        PID:1652
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        87⤵
        Adds Run key to start application
        
        PID:612
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        89⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        90⤵
        Adds Run key to start application
        
        PID:568
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        91⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        95⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        97⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        99⤵
        Adds Run key to start application
        
        PID:1500
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        100⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        101⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        102⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        103⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        104⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        105⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        106⤵
        Adds Run key to start application
        
        PID:2696
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        107⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        109⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        110⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        113⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        114⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        115⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        116⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        117⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        118⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        119⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        121⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        122⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        123⤵
        Adds Run key to start application
        
        PID:1900
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        124⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        126⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        127⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        128⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        131⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        133⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        134⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        136⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        137⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        139⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        140⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        141⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        143⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        144⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        145⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        146⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        147⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        148⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        149⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        150⤵
        Adds Run key to start application
        
        PID:1764
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        151⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        152⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        153⤵
        Adds Run key to start application
        
        PID:1584
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        154⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        155⤵
        Adds Run key to start application
        
        PID:1712
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        156⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        157⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        158⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        159⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        160⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        161⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        162⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        164⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        166⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        167⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        169⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        170⤵
        Adds Run key to start application
        
        PID:2140
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        171⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        173⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        175⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Keylogger.exe
        
        "C:\Windows\system32\Keylogger.exe"
        176⤵
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Keylogger.exe

Filesize
65KB

MD5
859faeba19d64c6d79585ec77103f541

SHA1
fd66f0d783741b99d3b1606877e90c1631530928

SHA256
01d131693f0ab79b803e249a760b173abaf1ff5c837623d2e0d7e64882a20c27

SHA512
1fcaebbceef41b9560a8cc31d92bdb62c960cc7ee064fd771fc6c3a616d1ba6c580e5ba755c95668f3e89d4086868ff7f0ca30d8f4e3c6a58a58339d2e1fd4a3

Download Submit
memory/288-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/292-99-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/292-101-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/292-100-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/344-119-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/380-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1092-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1248-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1248-90-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1248-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1336-116-0x0000000001FC0000-0x0000000001FD2000-memory.dmp

Filesize
72KB

Download
memory/1336-115-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1336-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-124-0x00000000028D0000-0x00000000028E2000-memory.dmp

Filesize
72KB

Download
memory/1608-123-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1616-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1696-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1696-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1728-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1740-72-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/1740-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1784-113-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1796-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1984-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2092-146-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/2092-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2092-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2104-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2104-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2108-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-128-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/2112-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2120-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2136-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2136-120-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2176-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2220-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-21-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2332-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2352-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2352-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2368-163-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2380-132-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/2380-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2396-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2400-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2432-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2432-58-0x0000000002080000-0x0000000002092000-memory.dmp

Filesize
72KB

Download
memory/2492-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2576-126-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2576-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2648-137-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2648-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2684-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2720-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2720-53-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2748-165-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2756-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-36-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2816-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2868-164-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2872-158-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2872-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2876-148-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2876-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2896-130-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2896-129-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2896-131-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-104-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2900-110-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2924-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2940-154-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2940-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-160-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2960-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2960-152-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2996-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3000-156-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/3000-157-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-10-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/3032-4-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/3032-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-114-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3056-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3056-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3056-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads