modiloader | e1a713cb4fb0925ad84cb8481dc9abd7c52af39a2de1178ee03ee8ee37b02f4a

Analysis

max time kernel
53s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
Size

1.2MB
MD5

98b9cdb8538396beac04570b859cbc71
SHA1

0d56b67caa70540818d64cf6c5081b78a162f4a6
SHA256

e1a713cb4fb0925ad84cb8481dc9abd7c52af39a2de1178ee03ee8ee37b02f4a
SHA512

787d9cb901af9f6f06dc96fdd20f6183927b24e798068bcc7cb8cab43b4095dd93dce4ca96d279b451b5e7d670a65c7144e4620d3d13f2132eebbd4e09beb975
SSDEEP

24576:zUuQmFQK1EA30nV/n+QmFQK1Mg3QmFQK1Hg3QmFQK1+g3QmFQK1xhg3QmFQK1m:zUuQmFQK1EJn5n+QmFQK1Mg3QmFQK1H2

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 64 IoCs

resource	yara_rule
behavioral1/memory/3028-36-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2856-44-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2856-41-0x0000000004EB0000-0x0000000004FA3000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-45-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-51-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-53-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-59-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2708-60-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2708-67-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/692-65-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/692-74-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/692-70-0x0000000004D80000-0x0000000004E73000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-80-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-82-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-77-0x0000000004FF0000-0x00000000050E3000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-86-0x0000000005060000-0x0000000005153000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-87-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-93-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-101-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1932-104-0x0000000004E60000-0x0000000004F53000-memory.dmp	modiloader_stage2
behavioral1/memory/1932-108-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1736-113-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/960-118-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1704-127-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1488-133-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-136-0x0000000004EE0000-0x0000000004FD3000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-138-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2328-140-0x0000000003AA0000-0x0000000003B93000-memory.dmp	modiloader_stage2
behavioral1/memory/2328-142-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-145-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1604-148-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2360-152-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2880-155-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-154-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2880-157-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2640-161-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2804-166-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-165-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2804-171-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-172-0x0000000004EC0000-0x0000000004FB3000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-175-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2124-178-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2300-182-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1128-186-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-189-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2988-192-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1252-197-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2144-194-0x0000000003A50000-0x0000000003B43000-memory.dmp	modiloader_stage2
behavioral1/memory/3064-206-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1356-212-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1460-213-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1528-214-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/768-215-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2420-216-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1372-217-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1716-218-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2384-219-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2284-220-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-221-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2104-222-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2336-223-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2724-224-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-225-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2100-226-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
3028	Program.EXE
2548	Program1.EXE
2856	explore.exe
2928	explore.exe
2768	explore.exe
2708	explore.exe
692	explore.exe
1908	explore.exe
2808	explore.exe
3000	explore.exe
2220	explore.exe
1932	explore.exe
1736	explore.exe
960	explore.exe
1704	explore.exe
1488	explore.exe
2440	explore.exe
2328	explore.exe
2192	explore.exe
1604	explore.exe
2360	explore.exe
2036	explore.exe
2880	explore.exe
2640	explore.exe
2668	explore.exe
2804	explore.exe
2664	explore.exe
2124	explore.exe
2300	explore.exe
1128	explore.exe
1728	explore.exe
2988	explore.exe
2144	explore.exe
1252	explore.exe
3064	explore.exe
1320	explore.exe
1356	explore.exe
1460	explore.exe
1528	explore.exe
768	explore.exe
2420	explore.exe
1372	explore.exe
1716	explore.exe
2384	explore.exe
2284	explore.exe
1600	explore.exe
2104	explore.exe
2336	explore.exe
2724	explore.exe
2904	explore.exe
2100	explore.exe
2928	explore.exe
2280	explore.exe
2812	explore.exe
2084	explore.exe
1676	explore.exe
2836	explore.exe
752	explore.exe
1128	explore.exe
1176	explore.exe
2088	explore.exe
2296	explore.exe
2504	explore.exe
2152	explore.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Program.EXE

Loads dropped DLL 64 IoCs

pid	Process
3028	Program.EXE
3028	Program.EXE
2856	explore.exe
2856	explore.exe
2928	explore.exe
2928	explore.exe
2768	explore.exe
2768	explore.exe
2708	explore.exe
2708	explore.exe
692	explore.exe
692	explore.exe
1908	explore.exe
1908	explore.exe
2808	explore.exe
2808	explore.exe
3000	explore.exe
3000	explore.exe
2220	explore.exe
2220	explore.exe
1932	explore.exe
1932	explore.exe
1736	explore.exe
1736	explore.exe
960	explore.exe
960	explore.exe
1704	explore.exe
1704	explore.exe
1488	explore.exe
1488	explore.exe
2440	explore.exe
2440	explore.exe
2328	explore.exe
2328	explore.exe
2192	explore.exe
2192	explore.exe
1604	explore.exe
1604	explore.exe
2360	explore.exe
2360	explore.exe
2036	explore.exe
2036	explore.exe
2880	explore.exe
2880	explore.exe
2640	explore.exe
2640	explore.exe
2668	explore.exe
2668	explore.exe
2804	explore.exe
2804	explore.exe
2664	explore.exe
2664	explore.exe
2124	explore.exe
2124	explore.exe
2300	explore.exe
2300	explore.exe
1128	explore.exe
1128	explore.exe
1728	explore.exe
1728	explore.exe
2988	explore.exe
2988	explore.exe
2144	explore.exe
2144	explore.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	Program.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/516-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/files/0x000a000000012262-10.dat	upx
behavioral1/memory/3028-12-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/516-7-0x0000000002540000-0x0000000002633000-memory.dmp	upx
behavioral1/memory/516-15-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2856-34-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/3028-36-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2856-40-0x0000000004EB0000-0x0000000004FA3000-memory.dmp	upx
behavioral1/memory/2856-44-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2928-45-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2928-51-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2768-53-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2768-59-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2708-60-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2708-67-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/692-65-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/692-74-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1908-73-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2808-80-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1908-82-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2808-86-0x0000000005060000-0x0000000005153000-memory.dmp	upx
behavioral1/memory/2808-87-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2220-94-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/3000-93-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2220-101-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1736-106-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1932-104-0x0000000004E60000-0x0000000004F53000-memory.dmp	upx
behavioral1/memory/1932-108-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1736-113-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1704-120-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/960-118-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1704-127-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1488-133-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2440-136-0x0000000004EE0000-0x0000000004FD3000-memory.dmp	upx
behavioral1/memory/2328-139-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2440-138-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2328-142-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2192-145-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1604-148-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2036-150-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2360-152-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2880-155-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2036-154-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2880-157-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2640-161-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2804-166-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2668-165-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2804-171-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2664-172-0x0000000004EC0000-0x0000000004FB3000-memory.dmp	upx
behavioral1/memory/2664-175-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2124-178-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2300-182-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1128-183-0x0000000004EE0000-0x0000000004FD3000-memory.dmp	upx
behavioral1/memory/1728-184-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1128-186-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1728-189-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2988-192-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1252-197-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/3064-206-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1356-212-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1460-213-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/1528-214-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/768-215-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral1/memory/2420-216-0x0000000000400000-0x00000000004F3000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Program.EXE	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
File created	C:\Windows\Program1.EXE	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Program1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Program1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Program1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Program1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Program1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Program1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Program1.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2548	Program1.EXE
2548	Program1.EXE
2548	Program1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3028	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	30
PID 516 wrote to memory of 3028	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	30
PID 516 wrote to memory of 3028	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	30
PID 516 wrote to memory of 3028	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	30
PID 516 wrote to memory of 2548	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	31
PID 516 wrote to memory of 2548	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	31
PID 516 wrote to memory of 2548	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	31
PID 516 wrote to memory of 2548	516	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2856	3028	Program.EXE	33
PID 3028 wrote to memory of 2856	3028	Program.EXE	33
PID 3028 wrote to memory of 2856	3028	Program.EXE	33
PID 3028 wrote to memory of 2856	3028	Program.EXE	33
PID 2856 wrote to memory of 2928	2856	explore.exe	34
PID 2856 wrote to memory of 2928	2856	explore.exe	34
PID 2856 wrote to memory of 2928	2856	explore.exe	34
PID 2856 wrote to memory of 2928	2856	explore.exe	34
PID 2928 wrote to memory of 2768	2928	explore.exe	35
PID 2928 wrote to memory of 2768	2928	explore.exe	35
PID 2928 wrote to memory of 2768	2928	explore.exe	35
PID 2928 wrote to memory of 2768	2928	explore.exe	35
PID 2768 wrote to memory of 2708	2768	explore.exe	36
PID 2768 wrote to memory of 2708	2768	explore.exe	36
PID 2768 wrote to memory of 2708	2768	explore.exe	36
PID 2768 wrote to memory of 2708	2768	explore.exe	36
PID 2708 wrote to memory of 692	2708	explore.exe	37
PID 2708 wrote to memory of 692	2708	explore.exe	37
PID 2708 wrote to memory of 692	2708	explore.exe	37
PID 2708 wrote to memory of 692	2708	explore.exe	37
PID 692 wrote to memory of 1908	692	explore.exe	38
PID 692 wrote to memory of 1908	692	explore.exe	38
PID 692 wrote to memory of 1908	692	explore.exe	38
PID 692 wrote to memory of 1908	692	explore.exe	38
PID 1908 wrote to memory of 2808	1908	explore.exe	39
PID 1908 wrote to memory of 2808	1908	explore.exe	39
PID 1908 wrote to memory of 2808	1908	explore.exe	39
PID 1908 wrote to memory of 2808	1908	explore.exe	39
PID 2808 wrote to memory of 3000	2808	explore.exe	40
PID 2808 wrote to memory of 3000	2808	explore.exe	40
PID 2808 wrote to memory of 3000	2808	explore.exe	40
PID 2808 wrote to memory of 3000	2808	explore.exe	40
PID 3000 wrote to memory of 2220	3000	explore.exe	41
PID 3000 wrote to memory of 2220	3000	explore.exe	41
PID 3000 wrote to memory of 2220	3000	explore.exe	41
PID 3000 wrote to memory of 2220	3000	explore.exe	41
PID 2220 wrote to memory of 1932	2220	explore.exe	42
PID 2220 wrote to memory of 1932	2220	explore.exe	42
PID 2220 wrote to memory of 1932	2220	explore.exe	42
PID 2220 wrote to memory of 1932	2220	explore.exe	42
PID 1932 wrote to memory of 1736	1932	explore.exe	43
PID 1932 wrote to memory of 1736	1932	explore.exe	43
PID 1932 wrote to memory of 1736	1932	explore.exe	43
PID 1932 wrote to memory of 1736	1932	explore.exe	43
PID 1736 wrote to memory of 960	1736	explore.exe	44
PID 1736 wrote to memory of 960	1736	explore.exe	44
PID 1736 wrote to memory of 960	1736	explore.exe	44
PID 1736 wrote to memory of 960	1736	explore.exe	44
PID 960 wrote to memory of 1704	960	explore.exe	45
PID 960 wrote to memory of 1704	960	explore.exe	45
PID 960 wrote to memory of 1704	960	explore.exe	45
PID 960 wrote to memory of 1704	960	explore.exe	45
PID 1704 wrote to memory of 1488	1704	explore.exe	46
PID 1704 wrote to memory of 1488	1704	explore.exe	46
PID 1704 wrote to memory of 1488	1704	explore.exe	46
PID 1704 wrote to memory of 1488	1704	explore.exe	46

C:\Users\Admin\AppData\Local\Temp\98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\Program.EXE
  "C:\Windows\Program.EXE"
  2⤵
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\explore.exe
    "C:\Windows\system32\explore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\explore.exe
      "C:\Windows\system32\explore.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2440
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1728
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        66⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        67⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        68⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        74⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        78⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        79⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        80⤵
        
        PID:588
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        81⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        82⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        83⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        84⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        85⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        86⤵
        
        PID:692
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        87⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        88⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        89⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        90⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        91⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        92⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        93⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        94⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        95⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        96⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        97⤵
        
        PID:908
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        98⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        99⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        100⤵
        
        PID:580
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        101⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        102⤵
        
        PID:568
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        103⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        104⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        105⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        106⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        107⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        108⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        109⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        110⤵
        
        PID:588
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        111⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        112⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        113⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        114⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        115⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        116⤵
        
        PID:692
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        117⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        118⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        119⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        120⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        121⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        122⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        123⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        124⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        125⤵
        
        PID:944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        126⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        127⤵
        
        PID:908
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        128⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        129⤵
        
        PID:768
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        130⤵
        
        PID:580
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        131⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        132⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        133⤵
        
        PID:568
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        134⤵
        
        PID:924
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        135⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        136⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        137⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        138⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        139⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        140⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        141⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        142⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        143⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        144⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        145⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        146⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        147⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        148⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        149⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        150⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        151⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        152⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        153⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        154⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        155⤵
        
        PID:696
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        156⤵
        
        PID:956
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        157⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        158⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        159⤵
        
        PID:900
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        160⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        161⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        162⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        163⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        164⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        165⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        166⤵
        
        PID:884
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        167⤵
        
        PID:860
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        168⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        169⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        170⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        171⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        172⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        173⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        174⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        175⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        176⤵
        
        PID:672
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        177⤵
        
        PID:940
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        178⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        179⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        180⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        181⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        182⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        183⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        184⤵
        
        PID:436
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        185⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        186⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        187⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        188⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        189⤵
        
        PID:972
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        190⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        191⤵
        
        PID:908
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        192⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        193⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        194⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        195⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        196⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        197⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        198⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        199⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        200⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        201⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        202⤵
        
        PID:776
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        203⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        204⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        205⤵
        
        PID:588
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        206⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        207⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        208⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        209⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        210⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        211⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        212⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        213⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        214⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        215⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        216⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        217⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        218⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        219⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        220⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        221⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        222⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        223⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        224⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        225⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        226⤵
        
        PID:628
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        227⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        228⤵
        
        PID:924
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        229⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        230⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        231⤵
        
        PID:516
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        232⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        233⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        234⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        235⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        236⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        237⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        238⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        239⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        240⤵
        
        PID:672
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        241⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        242⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        243⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        244⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        245⤵
        
        PID:2080
- C:\Windows\Program1.EXE
  "C:\Windows\Program1.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Program.EXE

Filesize
405KB

MD5
7a032ab96ba3da4af41c8e8a8eca4f87

SHA1
b4ee2abbb24d70dfdb8deebc6f5670eadd019b31

SHA256
4a5eb63ffa494393bb3532acfb10fffe89b573998a7038ae18bb3b1bebc55a16

SHA512
9628a72218408dc8a5f35ec8ed7687e686c4c4155994efa84b854cfba2399da17c8533ba4fda35fd9178612cc560af2daf8f9271027ddd7ba3f6568244b63433

Download Submit
C:\Windows\Program1.EXE

Filesize
619KB

MD5
098d1c15eafdcbf3b5cc0d67a89f6083

SHA1
3817e75ed7be3a7f997bbe26a3aa9565de8d8854

SHA256
8c5c82b7b2967e4e28c7fe05765ef3449476a5c83724dc05e46a86eee30000d1

SHA512
fabf4149d59348db912e8379fcf910bd430d770744777c685d4c97af4806dc0dd80d08642a6000fc2d135010f502f3232a70025e76c840a08cc73891a08e4722

Download Submit
memory/516-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-7-0x0000000002540000-0x0000000002633000-memory.dmp

Filesize
972KB

Download
memory/516-9-0x0000000002540000-0x0000000002633000-memory.dmp

Filesize
972KB

Download
memory/516-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-70-0x0000000004D80000-0x0000000004E73000-memory.dmp

Filesize
972KB

Download
memory/692-74-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/692-65-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/752-233-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/768-215-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/960-118-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1128-234-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1128-186-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1128-183-0x0000000004EE0000-0x0000000004FD3000-memory.dmp

Filesize
972KB

Download
memory/1176-235-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-197-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1356-212-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1372-217-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1460-213-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1488-133-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1488-130-0x0000000004FF0000-0x00000000050E3000-memory.dmp

Filesize
972KB

Download
memory/1528-214-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1600-221-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-148-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-147-0x0000000003BC0000-0x0000000003CB3000-memory.dmp

Filesize
972KB

Download
memory/1676-231-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1704-124-0x0000000004ED0000-0x0000000004FC3000-memory.dmp

Filesize
972KB

Download
memory/1704-127-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1704-120-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1716-218-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1728-184-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1728-187-0x0000000004D70000-0x0000000004E63000-memory.dmp

Filesize
972KB

Download
memory/1728-189-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1736-113-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1736-114-0x0000000004FB0000-0x00000000050A3000-memory.dmp

Filesize
972KB

Download
memory/1736-106-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1740-240-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1908-78-0x0000000004FF0000-0x00000000050E3000-memory.dmp

Filesize
972KB

Download
memory/1908-82-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1908-77-0x0000000004FF0000-0x00000000050E3000-memory.dmp

Filesize
972KB

Download
memory/1908-73-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1932-104-0x0000000004E60000-0x0000000004F53000-memory.dmp

Filesize
972KB

Download
memory/1932-108-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2036-150-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2036-154-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2036-167-0x0000000004F80000-0x0000000005073000-memory.dmp

Filesize
972KB

Download
memory/2084-230-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2088-236-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2100-226-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2104-222-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2124-178-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2124-176-0x0000000003910000-0x0000000003A03000-memory.dmp

Filesize
972KB

Download
memory/2144-195-0x0000000003A50000-0x0000000003B43000-memory.dmp

Filesize
972KB

Download
memory/2144-194-0x0000000003A50000-0x0000000003B43000-memory.dmp

Filesize
972KB

Download
memory/2152-239-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2192-143-0x0000000004F30000-0x0000000005023000-memory.dmp

Filesize
972KB

Download
memory/2192-145-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2220-101-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2220-99-0x0000000004F90000-0x0000000005083000-memory.dmp

Filesize
972KB

Download
memory/2220-94-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2280-228-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2284-220-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2296-237-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2300-180-0x0000000004EB0000-0x0000000004FA3000-memory.dmp

Filesize
972KB

Download
memory/2300-182-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2300-179-0x0000000004EB0000-0x0000000004FA3000-memory.dmp

Filesize
972KB

Download
memory/2328-142-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2328-140-0x0000000003AA0000-0x0000000003B93000-memory.dmp

Filesize
972KB

Download
memory/2328-139-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2336-223-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2360-152-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2360-149-0x0000000004F30000-0x0000000005023000-memory.dmp

Filesize
972KB

Download
memory/2384-219-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2420-216-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2440-138-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2440-136-0x0000000004EE0000-0x0000000004FD3000-memory.dmp

Filesize
972KB

Download
memory/2504-238-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2548-54-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

Filesize
4KB

Download
memory/2548-22-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2548-52-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2548-18-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

Filesize
4KB

Download
memory/2548-24-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2640-159-0x0000000003BC0000-0x0000000003CB3000-memory.dmp

Filesize
972KB

Download
memory/2640-161-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2640-158-0x0000000003BC0000-0x0000000003CB3000-memory.dmp

Filesize
972KB

Download
memory/2664-175-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2664-172-0x0000000004EC0000-0x0000000004FB3000-memory.dmp

Filesize
972KB

Download
memory/2664-173-0x0000000004EC0000-0x0000000004FB3000-memory.dmp

Filesize
972KB

Download
memory/2668-163-0x0000000004DD0000-0x0000000004EC3000-memory.dmp

Filesize
972KB

Download
memory/2668-164-0x0000000004DD0000-0x0000000004EC3000-memory.dmp

Filesize
972KB

Download
memory/2668-165-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2708-60-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2708-64-0x00000000050E0000-0x00000000051D3000-memory.dmp

Filesize
972KB

Download
memory/2708-67-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2724-224-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2768-53-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2768-59-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2804-166-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2804-169-0x0000000003B10000-0x0000000003C03000-memory.dmp

Filesize
972KB

Download
memory/2804-171-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2804-170-0x0000000003B10000-0x0000000003C03000-memory.dmp

Filesize
972KB

Download
memory/2808-86-0x0000000005060000-0x0000000005153000-memory.dmp

Filesize
972KB

Download
memory/2808-80-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2808-88-0x0000000005060000-0x0000000005153000-memory.dmp

Filesize
972KB

Download
memory/2808-87-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2812-229-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2836-232-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2856-41-0x0000000004EB0000-0x0000000004FA3000-memory.dmp

Filesize
972KB

Download
memory/2856-34-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2856-40-0x0000000004EB0000-0x0000000004FA3000-memory.dmp

Filesize
972KB

Download
memory/2856-44-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2880-157-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2880-156-0x0000000004EC0000-0x0000000004FB3000-memory.dmp

Filesize
972KB

Download
memory/2880-155-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2904-225-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2928-49-0x0000000003900000-0x00000000039F3000-memory.dmp

Filesize
972KB

Download
memory/2928-227-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2928-45-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2928-51-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2988-191-0x0000000004E40000-0x0000000004F33000-memory.dmp

Filesize
972KB

Download
memory/2988-193-0x0000000004E40000-0x0000000004F33000-memory.dmp

Filesize
972KB

Download
memory/2988-192-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3000-93-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3028-32-0x0000000004D90000-0x0000000004E83000-memory.dmp

Filesize
972KB

Download
memory/3028-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3028-36-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3028-27-0x0000000004D90000-0x0000000004E83000-memory.dmp

Filesize
972KB

Download
memory/3028-12-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3064-206-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads