modiloader | e1a713cb4fb0925ad84cb8481dc9abd7c52af39a2de1178ee03ee8ee37b02f4a

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
Size

1.2MB
MD5

98b9cdb8538396beac04570b859cbc71
SHA1

0d56b67caa70540818d64cf6c5081b78a162f4a6
SHA256

e1a713cb4fb0925ad84cb8481dc9abd7c52af39a2de1178ee03ee8ee37b02f4a
SHA512

787d9cb901af9f6f06dc96fdd20f6183927b24e798068bcc7cb8cab43b4095dd93dce4ca96d279b451b5e7d670a65c7144e4620d3d13f2132eebbd4e09beb975
SSDEEP

24576:zUuQmFQK1EA30nV/n+QmFQK1Mg3QmFQK1Hg3QmFQK1+g3QmFQK1xhg3QmFQK1m:zUuQmFQK1EJn5n+QmFQK1Mg3QmFQK1H2

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2912-66-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3548-68-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/408-70-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4720-72-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3548-74-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4720-77-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1508-80-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/264-83-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3988-85-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3188-88-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4344-93-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4480-97-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2260-100-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/916-102-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3668-105-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1864-108-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4936-111-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1472-114-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1536-118-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1820-121-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-125-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1792-128-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4028-131-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2704-133-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1508-136-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4192-140-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2712-142-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3280-144-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2988-147-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2244-150-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/444-153-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3836-157-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/316-159-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2420-162-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2616-165-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2932-167-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1520-168-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4412-169-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3340-171-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1472-172-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1536-173-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/464-175-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2360-177-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4992-179-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/232-181-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4608-182-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1692-184-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4192-185-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2268-186-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4192-188-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-190-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3912-192-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/992-194-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2244-196-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/1844-198-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/5024-200-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3816-202-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-203-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4340-205-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/3356-206-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2968-208-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/2280-209-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4160-210-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2
behavioral2/memory/4760-212-0x0000000000400000-0x00000000004F3000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeProgram.EXEexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Program.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explore.exe

Executes dropped EXE 64 IoCs

Processes:

Program.EXEProgram1.EXEexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

pid	Process
2912	Program.EXE
4920	Program1.EXE
408	explore.exe
3548	explore.exe
4720	explore.exe
1508	explore.exe
264	explore.exe
3988	explore.exe
3188	explore.exe
4344	explore.exe
4480	explore.exe
2260	explore.exe
916	explore.exe
3668	explore.exe
1864	explore.exe
4936	explore.exe
1472	explore.exe
1536	explore.exe
1820	explore.exe
4044	explore.exe
1792	explore.exe
4028	explore.exe
2704	explore.exe
1508	explore.exe
4192	explore.exe
2712	explore.exe
3280	explore.exe
2988	explore.exe
2244	explore.exe
444	explore.exe
3836	explore.exe
316	explore.exe
2420	explore.exe
2616	explore.exe
2932	explore.exe
1520	explore.exe
4412	explore.exe
3340	explore.exe
1472	explore.exe
1536	explore.exe
464	explore.exe
2360	explore.exe
4992	explore.exe
232	explore.exe
4608	explore.exe
1692	explore.exe
2268	explore.exe
4192	explore.exe
2884	explore.exe
3912	explore.exe
992	explore.exe
2244	explore.exe
1844	explore.exe
5024	explore.exe
3816	explore.exe
5004	explore.exe
4340	explore.exe
3356	explore.exe
2968	explore.exe
2280	explore.exe
4160	explore.exe
4760	explore.exe
464	explore.exe
2912	explore.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Program.EXE

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Program.EXE
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Program.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\explore.exe"	explore.exe

Drops file in System32 directory 64 IoCs

Processes:

explore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File opened for modification	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe
File created	C:\Windows\SysWOW64\explore.exe	explore.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1644-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x000c000000023b17-5.dat	upx
behavioral2/memory/2912-18-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1644-21-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/408-64-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2912-66-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3548-68-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/408-70-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4720-72-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3548-74-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4720-77-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1508-80-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/264-83-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3988-85-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3188-88-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4344-93-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4480-97-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2260-100-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/916-102-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3668-105-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1864-108-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4936-111-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1472-114-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1820-116-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1536-118-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1820-121-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4044-125-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1792-128-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4028-131-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2704-133-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1508-136-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4192-140-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2712-142-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3280-144-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2988-147-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2244-150-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/444-153-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3836-152-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3836-157-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/316-159-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2420-162-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2616-165-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2932-167-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1520-168-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4412-169-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3340-171-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1472-172-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1536-173-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/464-175-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2360-177-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4992-179-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/232-181-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4608-182-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1692-184-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4192-185-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2268-186-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/4192-188-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2884-190-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3912-192-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/992-194-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2244-196-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/1844-198-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/5024-200-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/3816-202-0x0000000000400000-0x00000000004F3000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\Program.EXE	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
File created	C:\Windows\Program1.EXE	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe

Modifies registry class 64 IoCs

Processes:

explore.exeexplore.exeProgram1.EXEexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeProgram.EXEexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Program.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Program1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Program1.EXE

pid	Process
4920	Program1.EXE
4920	Program1.EXE
4920	Program1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exeProgram.EXEexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exeexplore.exe

description	pid	Process	procid_target
PID 1644 wrote to memory of 2912	1644	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	83
PID 1644 wrote to memory of 2912	1644	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	83
PID 1644 wrote to memory of 2912	1644	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	83
PID 1644 wrote to memory of 4920	1644	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	84
PID 1644 wrote to memory of 4920	1644	98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe	84
PID 2912 wrote to memory of 408	2912	Program.EXE	85
PID 2912 wrote to memory of 408	2912	Program.EXE	85
PID 2912 wrote to memory of 408	2912	Program.EXE	85
PID 408 wrote to memory of 3548	408	explore.exe	86
PID 408 wrote to memory of 3548	408	explore.exe	86
PID 408 wrote to memory of 3548	408	explore.exe	86
PID 3548 wrote to memory of 4720	3548	explore.exe	87
PID 3548 wrote to memory of 4720	3548	explore.exe	87
PID 3548 wrote to memory of 4720	3548	explore.exe	87
PID 4720 wrote to memory of 1508	4720	explore.exe	88
PID 4720 wrote to memory of 1508	4720	explore.exe	88
PID 4720 wrote to memory of 1508	4720	explore.exe	88
PID 1508 wrote to memory of 264	1508	explore.exe	89
PID 1508 wrote to memory of 264	1508	explore.exe	89
PID 1508 wrote to memory of 264	1508	explore.exe	89
PID 264 wrote to memory of 3988	264	explore.exe	90
PID 264 wrote to memory of 3988	264	explore.exe	90
PID 264 wrote to memory of 3988	264	explore.exe	90
PID 3988 wrote to memory of 3188	3988	explore.exe	91
PID 3988 wrote to memory of 3188	3988	explore.exe	91
PID 3988 wrote to memory of 3188	3988	explore.exe	91
PID 3188 wrote to memory of 4344	3188	explore.exe	94
PID 3188 wrote to memory of 4344	3188	explore.exe	94
PID 3188 wrote to memory of 4344	3188	explore.exe	94
PID 4344 wrote to memory of 4480	4344	explore.exe	96
PID 4344 wrote to memory of 4480	4344	explore.exe	96
PID 4344 wrote to memory of 4480	4344	explore.exe	96
PID 4480 wrote to memory of 2260	4480	explore.exe	98
PID 4480 wrote to memory of 2260	4480	explore.exe	98
PID 4480 wrote to memory of 2260	4480	explore.exe	98
PID 2260 wrote to memory of 916	2260	explore.exe	99
PID 2260 wrote to memory of 916	2260	explore.exe	99
PID 2260 wrote to memory of 916	2260	explore.exe	99
PID 916 wrote to memory of 3668	916	explore.exe	100
PID 916 wrote to memory of 3668	916	explore.exe	100
PID 916 wrote to memory of 3668	916	explore.exe	100
PID 3668 wrote to memory of 1864	3668	explore.exe	101
PID 3668 wrote to memory of 1864	3668	explore.exe	101
PID 3668 wrote to memory of 1864	3668	explore.exe	101
PID 1864 wrote to memory of 4936	1864	explore.exe	104
PID 1864 wrote to memory of 4936	1864	explore.exe	104
PID 1864 wrote to memory of 4936	1864	explore.exe	104
PID 4936 wrote to memory of 1472	4936	explore.exe	130
PID 4936 wrote to memory of 1472	4936	explore.exe	130
PID 4936 wrote to memory of 1472	4936	explore.exe	130
PID 1472 wrote to memory of 1536	1472	explore.exe	131
PID 1472 wrote to memory of 1536	1472	explore.exe	131
PID 1472 wrote to memory of 1536	1472	explore.exe	131
PID 1536 wrote to memory of 1820	1536	explore.exe	107
PID 1536 wrote to memory of 1820	1536	explore.exe	107
PID 1536 wrote to memory of 1820	1536	explore.exe	107
PID 1820 wrote to memory of 4044	1820	explore.exe	108
PID 1820 wrote to memory of 4044	1820	explore.exe	108
PID 1820 wrote to memory of 4044	1820	explore.exe	108
PID 4044 wrote to memory of 1792	4044	explore.exe	109
PID 4044 wrote to memory of 1792	4044	explore.exe	109
PID 4044 wrote to memory of 1792	4044	explore.exe	109
PID 1792 wrote to memory of 4028	1792	explore.exe	110
PID 1792 wrote to memory of 4028	1792	explore.exe	110

C:\Users\Admin\AppData\Local\Temp\98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98b9cdb8538396beac04570b859cbc71_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Program.EXE
  "C:\Windows\Program.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\explore.exe
    "C:\Windows\system32\explore.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\explore.exe
      "C:\Windows\system32\explore.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2704
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3280
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        28⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        39⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        40⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        42⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        46⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        48⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        50⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1844
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        54⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        55⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        57⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        67⤵
        Checks computer location settings
        
        PID:4388
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        68⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        69⤵
        Adds Run key to start application
        
        PID:2960
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        72⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        73⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        75⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        76⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        78⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        79⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        80⤵
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        81⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        82⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        83⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        84⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        85⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        87⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        88⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        89⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        90⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        92⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        93⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        94⤵
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        98⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        99⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        100⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        101⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        102⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        103⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        107⤵
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        112⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        113⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        114⤵
        Checks computer location settings
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        116⤵
        Adds Run key to start application
        
        PID:3640
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        117⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        118⤵
        Adds Run key to start application
        
        PID:4876
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        119⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        120⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        121⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        122⤵
        Adds Run key to start application
        
        PID:4176
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        123⤵
        Adds Run key to start application
        
        PID:3384
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        124⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        126⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        127⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        128⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        129⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        131⤵
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        133⤵
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        136⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        137⤵
        
        PID:64
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        138⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        139⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        141⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        142⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        143⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        144⤵
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        145⤵
        Adds Run key to start application
        
        PID:3892
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        146⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        147⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        148⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        151⤵
        Adds Run key to start application
        
        PID:3632
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        152⤵
        Adds Run key to start application
        
        PID:436
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        153⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        154⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        155⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        156⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        157⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2120
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        158⤵
        Adds Run key to start application
        
        PID:4744
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        159⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        160⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        161⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        162⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        164⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        165⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        166⤵
        
        PID:544
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        170⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        171⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4968
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        172⤵
        Checks computer location settings
        
        PID:3152
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        173⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        174⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        175⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        177⤵
        Adds Run key to start application
        
        PID:4556
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        178⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        179⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        180⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        181⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        184⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        185⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        186⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        187⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        188⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        189⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        190⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        191⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        193⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        194⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        195⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        196⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        197⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        198⤵
        
        PID:928
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        199⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        200⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        201⤵
        
        PID:752
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        202⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        203⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        204⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        205⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        206⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        207⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        208⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        209⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        210⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        211⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        212⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        213⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        214⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        215⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        216⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        217⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        218⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        219⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        220⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        221⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        222⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        223⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        224⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        225⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\explore.exe
        
        "C:\Windows\system32\explore.exe"
        226⤵
        
        PID:5036
- C:\Windows\Program1.EXE
  "C:\Windows\Program1.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Program.EXE

Filesize
405KB

MD5
7a032ab96ba3da4af41c8e8a8eca4f87

SHA1
b4ee2abbb24d70dfdb8deebc6f5670eadd019b31

SHA256
4a5eb63ffa494393bb3532acfb10fffe89b573998a7038ae18bb3b1bebc55a16

SHA512
9628a72218408dc8a5f35ec8ed7687e686c4c4155994efa84b854cfba2399da17c8533ba4fda35fd9178612cc560af2daf8f9271027ddd7ba3f6568244b63433

Download Submit
C:\Windows\Program1.EXE

Filesize
619KB

MD5
098d1c15eafdcbf3b5cc0d67a89f6083

SHA1
3817e75ed7be3a7f997bbe26a3aa9565de8d8854

SHA256
8c5c82b7b2967e4e28c7fe05765ef3449476a5c83724dc05e46a86eee30000d1

SHA512
fabf4149d59348db912e8379fcf910bd430d770744777c685d4c97af4806dc0dd80d08642a6000fc2d135010f502f3232a70025e76c840a08cc73891a08e4722

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-273-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/232-181-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/264-83-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/316-159-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/364-249-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/408-64-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/408-70-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/408-263-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/444-153-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/464-214-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/464-175-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/916-102-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/992-194-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1176-255-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1272-237-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1472-114-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1472-172-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1508-136-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1508-80-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1520-168-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1536-118-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1536-173-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-259-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1644-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-184-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1792-128-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1820-121-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1820-116-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1844-198-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1864-108-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2136-281-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2156-279-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2244-150-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2244-196-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2260-100-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2268-186-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2280-253-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2280-209-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2360-177-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2420-162-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2440-241-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2616-243-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2616-165-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2704-133-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2708-257-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2712-275-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2712-142-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2884-229-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2884-190-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2912-66-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2912-216-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2912-22-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2912-18-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2932-167-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2960-225-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2968-208-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2988-147-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2988-233-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3100-239-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3188-88-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3188-227-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3280-144-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3340-171-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3356-206-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3488-269-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3548-74-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3548-68-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3668-105-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3684-247-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3808-223-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3816-202-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3836-152-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3836-157-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3912-192-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3960-265-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3988-85-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4028-131-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4044-125-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4160-210-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4192-188-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4192-140-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4192-185-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4276-235-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4340-205-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4344-93-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4388-221-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4404-245-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4412-169-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4456-251-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4476-277-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4480-97-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4556-271-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4608-182-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4608-267-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4720-77-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4720-72-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4760-212-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4828-219-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4880-217-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4920-23-0x00007FF91F2D5000-0x00007FF91F2D6000-memory.dmp

Filesize
4KB

Download
memory/4920-26-0x000000001B450000-0x000000001B4F6000-memory.dmp

Filesize
664KB

Download
memory/4920-96-0x00007FF91F020000-0x00007FF91F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/4920-52-0x000000001B9D0000-0x000000001BE9E000-memory.dmp

Filesize
4.8MB

Download
memory/4920-89-0x00007FF91F020000-0x00007FF91F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/4920-27-0x00007FF91F020000-0x00007FF91F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/4920-62-0x000000001C020000-0x000000001C06C000-memory.dmp

Filesize
304KB

Download
memory/4920-91-0x00007FF91F2D5000-0x00007FF91F2D6000-memory.dmp

Filesize
4KB

Download
memory/4920-54-0x00007FF91F020000-0x00007FF91F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/4920-59-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/4920-53-0x000000001BF40000-0x000000001BFDC000-memory.dmp

Filesize
624KB

Download
memory/4936-111-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4968-261-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4992-179-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5004-203-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5012-231-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5024-200-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download