xtremerat | 0eb8a6b7eca4cfce4739d7c3978fe85461c59d9379fa4d69bb5d43414d7df3bc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Size

220KB
MD5

af55a8204d380d0cb71903731956ec8e
SHA1

fca87c74138cd59d42ffb70853b30d6655d27ce2
SHA256

0eb8a6b7eca4cfce4739d7c3978fe85461c59d9379fa4d69bb5d43414d7df3bc
SHA512

ca8e033cbe56a43dd865d5d03b54a249c9c18a0a5dc474f1e50806ebcc234fce63fa0a2da91dcf5653958c7b638e71a408fdeadeef2533269a1136e4cdd8020c
SSDEEP

6144:vGr5SmlkgbhiIBE93n3xrQd15c3G6zmGQIsPdn:vW5Sm7DE93n3xrI15EzmGQLPdn

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 28 IoCs

resource	yara_rule
behavioral1/memory/2884-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-6-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-7-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-50-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-48-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-53-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-46-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-42-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-40-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-52-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-36-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-34-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-44-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/760-62-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-107-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-106-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-105-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-104-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-103-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-102-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-101-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-100-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-99-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-108-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\patche.exe restart"	patche.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	patche.exe

Executes dropped EXE 58 IoCs

pid	Process
2680	patche.exe
760	patche.exe
596	patche.exe
1420	patche.exe
2412	patche.exe
2400	patche.exe
1848	patche.exe
3016	patche.exe
1632	patche.exe
1604	patche.exe
2140	patche.exe
3056	patche.exe
2868	patche.exe
2840	patche.exe
3036	patche.exe
848	patche.exe
2760	patche.exe
804	patche.exe
2008	patche.exe
1836	patche.exe
1856	patche.exe
872	patche.exe
2484	patche.exe
1916	patche.exe
2980	patche.exe
2964	patche.exe
1720	patche.exe
2636	patche.exe
2408	patche.exe
1688	patche.exe
1648	patche.exe
1452	patche.exe
892	patche.exe
2044	patche.exe
1200	patche.exe
840	patche.exe
1544	patche.exe
2264	patche.exe
2884	patche.exe
2608	patche.exe
692	patche.exe
2820	patche.exe
1952	patche.exe
2044	patche.exe
2064	patche.exe
1916	patche.exe
2488	patche.exe
532	patche.exe
3196	patche.exe
3212	patche.exe
3376	patche.exe
3392	patche.exe
3548	patche.exe
3564	patche.exe
3724	patche.exe
3740	patche.exe
3896	patche.exe
3912	patche.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
2680	patche.exe
2680	patche.exe
2680	patche.exe
2680	patche.exe
760	patche.exe
760	patche.exe
760	patche.exe
760	patche.exe
596	patche.exe
596	patche.exe
596	patche.exe
596	patche.exe
1420	patche.exe
1420	patche.exe
1420	patche.exe
1420	patche.exe
2412	patche.exe
2412	patche.exe
2412	patche.exe
2412	patche.exe
2400	patche.exe
2400	patche.exe
2400	patche.exe
2400	patche.exe
1848	patche.exe
1848	patche.exe
1848	patche.exe
1848	patche.exe
3016	patche.exe
3016	patche.exe
3016	patche.exe
3016	patche.exe
1632	patche.exe
1632	patche.exe
1632	patche.exe
1632	patche.exe
1604	patche.exe
1604	patche.exe
1604	patche.exe
1604	patche.exe
2140	patche.exe
2140	patche.exe
2140	patche.exe
2140	patche.exe
3056	patche.exe
3056	patche.exe
3056	patche.exe
3056	patche.exe
2868	patche.exe
2868	patche.exe
2868	patche.exe
2868	patche.exe
2840	patche.exe
2840	patche.exe
2840	patche.exe
2840	patche.exe
3036	patche.exe
3036	patche.exe
3036	patche.exe
3036	patche.exe
848	patche.exe
848	patche.exe
848	patche.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\patche.exe"	patche.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2680 set thread context of 760	2680	patche.exe	40
PID 596 set thread context of 1420	596	patche.exe	50
PID 2412 set thread context of 2400	2412	patche.exe	60
PID 1848 set thread context of 3016	1848	patche.exe	70
PID 1632 set thread context of 1604	1632	patche.exe	80
PID 2140 set thread context of 3056	2140	patche.exe	90
PID 2868 set thread context of 2840	2868	patche.exe	100
PID 3036 set thread context of 848	3036	patche.exe	110
PID 2760 set thread context of 804	2760	patche.exe	120
PID 2008 set thread context of 1836	2008	patche.exe	130
PID 1856 set thread context of 872	1856	patche.exe	140
PID 2484 set thread context of 1916	2484	patche.exe	150
PID 2980 set thread context of 2964	2980	patche.exe	161
PID 1720 set thread context of 2636	1720	patche.exe	171
PID 2408 set thread context of 1688	2408	patche.exe	181
PID 1648 set thread context of 1452	1648	patche.exe	191
PID 892 set thread context of 2044	892	patche.exe	201
PID 1200 set thread context of 840	1200	patche.exe	211
PID 1544 set thread context of 2264	1544	patche.exe	221
PID 2884 set thread context of 2608	2884	patche.exe	231
PID 692 set thread context of 2820	692	patche.exe	241
PID 1952 set thread context of 2044	1952	patche.exe	251
PID 2064 set thread context of 1916	2064	patche.exe	261
PID 2488 set thread context of 532	2488	patche.exe	271
PID 3196 set thread context of 3212	3196	patche.exe	281
PID 3376 set thread context of 3392	3376	patche.exe	291
PID 3548 set thread context of 3564	3548	patche.exe	301
PID 3724 set thread context of 3740	3724	patche.exe	311
PID 3896 set thread context of 3912	3896	patche.exe	321

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File created	C:\Windows\InstallDir\patche.exe	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe
File opened for modification	C:\Windows\InstallDir\patche.exe	patche.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patche.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeRestorePrivilege	760	patche.exe
Token: SeBackupPrivilege	760	patche.exe
Token: SeRestorePrivilege	1420	patche.exe
Token: SeBackupPrivilege	1420	patche.exe
Token: SeRestorePrivilege	2400	patche.exe
Token: SeBackupPrivilege	2400	patche.exe
Token: SeRestorePrivilege	3016	patche.exe
Token: SeBackupPrivilege	3016	patche.exe
Token: SeRestorePrivilege	1604	patche.exe
Token: SeBackupPrivilege	1604	patche.exe
Token: SeRestorePrivilege	3056	patche.exe
Token: SeBackupPrivilege	3056	patche.exe
Token: SeRestorePrivilege	2840	patche.exe
Token: SeBackupPrivilege	2840	patche.exe
Token: SeRestorePrivilege	848	patche.exe
Token: SeBackupPrivilege	848	patche.exe
Token: SeRestorePrivilege	804	patche.exe
Token: SeBackupPrivilege	804	patche.exe
Token: SeRestorePrivilege	1836	patche.exe
Token: SeBackupPrivilege	1836	patche.exe
Token: SeRestorePrivilege	872	patche.exe
Token: SeBackupPrivilege	872	patche.exe
Token: SeRestorePrivilege	1916	patche.exe
Token: SeBackupPrivilege	1916	patche.exe
Token: SeRestorePrivilege	2964	patche.exe
Token: SeBackupPrivilege	2964	patche.exe
Token: SeRestorePrivilege	2636	patche.exe
Token: SeBackupPrivilege	2636	patche.exe
Token: SeRestorePrivilege	1688	patche.exe
Token: SeBackupPrivilege	1688	patche.exe
Token: SeRestorePrivilege	1452	patche.exe
Token: SeBackupPrivilege	1452	patche.exe
Token: SeRestorePrivilege	2044	patche.exe
Token: SeBackupPrivilege	2044	patche.exe
Token: SeRestorePrivilege	840	patche.exe
Token: SeBackupPrivilege	840	patche.exe
Token: SeRestorePrivilege	2264	patche.exe
Token: SeBackupPrivilege	2264	patche.exe
Token: SeRestorePrivilege	2608	patche.exe
Token: SeBackupPrivilege	2608	patche.exe
Token: SeRestorePrivilege	2820	patche.exe
Token: SeBackupPrivilege	2820	patche.exe
Token: SeRestorePrivilege	2044	patche.exe
Token: SeBackupPrivilege	2044	patche.exe
Token: SeRestorePrivilege	1916	patche.exe
Token: SeBackupPrivilege	1916	patche.exe
Token: SeRestorePrivilege	532	patche.exe
Token: SeBackupPrivilege	532	patche.exe
Token: SeRestorePrivilege	3212	patche.exe
Token: SeBackupPrivilege	3212	patche.exe
Token: SeRestorePrivilege	3392	patche.exe
Token: SeBackupPrivilege	3392	patche.exe
Token: SeRestorePrivilege	3564	patche.exe
Token: SeBackupPrivilege	3564	patche.exe
Token: SeRestorePrivilege	3740	patche.exe
Token: SeBackupPrivilege	3740	patche.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
2680	patche.exe
596	patche.exe
2412	patche.exe
1848	patche.exe
1632	patche.exe
2140	patche.exe
2868	patche.exe
3036	patche.exe
2760	patche.exe
2008	patche.exe
1856	patche.exe
2484	patche.exe
2980	patche.exe
1720	patche.exe
2408	patche.exe
1648	patche.exe
892	patche.exe
1200	patche.exe
1544	patche.exe
2884	patche.exe
692	patche.exe
1952	patche.exe
2064	patche.exe
2488	patche.exe
3196	patche.exe
3376	patche.exe
3548	patche.exe
3724	patche.exe
3896	patche.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2884	2716	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2904	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2904	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2904	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2904	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2904	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2712	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2712	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2712	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2712	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2712	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2604	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2604	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2604	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2604	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2604	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2752	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2752	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2752	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2752	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2752	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2656	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2656	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2656	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2656	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2656	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2940	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2940	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2940	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2940	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2940	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	36
PID 2884 wrote to memory of 3060	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	37
PID 2884 wrote to memory of 3060	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	37
PID 2884 wrote to memory of 3060	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	37
PID 2884 wrote to memory of 3060	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	37
PID 2884 wrote to memory of 3060	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2740	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2740	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2740	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2740	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2680	2884	af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe	39
PID 2680 wrote to memory of 760	2680	patche.exe	40
PID 2680 wrote to memory of 760	2680	patche.exe	40
PID 2680 wrote to memory of 760	2680	patche.exe	40
PID 2680 wrote to memory of 760	2680	patche.exe	40

C:\Users\Admin\AppData\Local\Temp\af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\af55a8204d380d0cb71903731956ec8e_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2656
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2940
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2740
- - C:\Windows\InstallDir\patche.exe
    "C:\Windows\InstallDir\patche.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\InstallDir\patche.exe
      "C:\Windows\InstallDir\patche.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1056
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2548
    - - C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:596
      - C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:776
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1156
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1256
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2316
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2720
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1780
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1724
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:828
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2516
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:696
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2128
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1596
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:344
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1624
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:888
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2448
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:3056
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        40⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:3064
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2084
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2868
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2820
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2556
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        50⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3184
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3196
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        52⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3364
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3536
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        56⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3712
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        58⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3880
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Windows\InstallDir\patche.exe
        
        "C:\Windows\InstallDir\patche.exe"
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\88603cb2913a7df3fbd16b5f958e6447_1defa0c0-fc04-4155-83bc-b490dbaa3679

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\754qgylK.cfg

Filesize
1KB

MD5
bc3d3c3d7c46b3f3108e02d1f3258930

SHA1
92f366b89e5eda1a1bd9d6fd391191033fd20dbe

SHA256
266f287ab734ac4f9c343c4aca0e87420e5c4621113dccd8fb6e2ae9298767c9

SHA512
9498c20ddcd0c8d530749883056eda5a3234eb48083c463646c1716eaa9a437336bf294b59a547a01928c2b3ce0fb841e15341faae52f8e9c1c8a3d5a9c4335c

Download Submit
\Windows\InstallDir\patche.exe

Filesize
220KB

MD5
af55a8204d380d0cb71903731956ec8e

SHA1
fca87c74138cd59d42ffb70853b30d6655d27ce2

SHA256
0eb8a6b7eca4cfce4739d7c3978fe85461c59d9379fa4d69bb5d43414d7df3bc

SHA512
ca8e033cbe56a43dd865d5d03b54a249c9c18a0a5dc474f1e50806ebcc234fce63fa0a2da91dcf5653958c7b638e71a408fdeadeef2533269a1136e4cdd8020c

Download Submit
memory/760-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-36-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-62-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-44-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-34-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-50-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-48-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-53-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-42-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-40-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-101-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-107-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-108-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-99-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-105-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-100-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-102-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-106-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-103-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-104-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-6-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads