xtremerat | 9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Size

638KB
MD5

80fae472f8dc5bcee4ed2191088a18c7
SHA1

c642feadabeef69b0b767ad6fa62dfcac323d835
SHA256

9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63
SHA512

8f0cc461be72ac418ab2788913c89ed57e5fa5322fefd6cda0934e95fd24f9cb826f082791f3254f890c46ad969b9ad9edac210b3fb8ffb13fed38eab7ee6199
SSDEEP

12288:NaWzgMg7v3qnCiMErQohh0F4CCJ8lny/QCJZ+Ys:MaHMv6Corjqny/QCJZ+Ys

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2784-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2784-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2784-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2628-43-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2628-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\downswae\\saaa.exe restart"	saaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	saaa.exe

Executes dropped EXE 62 IoCs

pid	Process
2720	saaa.exe
2628	saaa.exe
2524	saaa.exe
2184	saaa.exe
1640	saaa.exe
2876	saaa.exe
784	saaa.exe
2920	saaa.exe
2288	saaa.exe
1996	saaa.exe
2016	saaa.exe
1600	saaa.exe
2368	saaa.exe
3000	saaa.exe
2204	saaa.exe
2824	saaa.exe
1040	saaa.exe
2440	saaa.exe
2244	saaa.exe
2136	saaa.exe
1132	saaa.exe
836	saaa.exe
844	saaa.exe
2008	saaa.exe
2536	saaa.exe
2564	saaa.exe
2164	saaa.exe
2200	saaa.exe
2148	saaa.exe
2208	saaa.exe
1632	saaa.exe
2360	saaa.exe
2204	saaa.exe
2064	saaa.exe
2188	saaa.exe
2136	saaa.exe
844	saaa.exe
1312	saaa.exe
2180	saaa.exe
2188	saaa.exe
1096	saaa.exe
2488	saaa.exe
1236	saaa.exe
2880	saaa.exe
1144	saaa.exe
2188	saaa.exe
1144	saaa.exe
1224	saaa.exe
3236	saaa.exe
3276	saaa.exe
3412	saaa.exe
3456	saaa.exe
3596	saaa.exe
3636	saaa.exe
3776	saaa.exe
3816	saaa.exe
3960	saaa.exe
4000	saaa.exe
2188	saaa.exe
3128	saaa.exe
3280	saaa.exe
3424	saaa.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
2720	saaa.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\downswae\\saaa.exe"	saaa.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016dd9-20.dat	autoit_exe

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 2720 set thread context of 2628	2720	saaa.exe	40
PID 2524 set thread context of 2184	2524	saaa.exe	50
PID 1640 set thread context of 2876	1640	saaa.exe	60
PID 784 set thread context of 2920	784	saaa.exe	70
PID 2288 set thread context of 1996	2288	saaa.exe	81
PID 2016 set thread context of 1600	2016	saaa.exe	91
PID 2368 set thread context of 3000	2368	saaa.exe	101
PID 2204 set thread context of 2824	2204	saaa.exe	111
PID 1040 set thread context of 2440	1040	saaa.exe	121
PID 2244 set thread context of 2136	2244	saaa.exe	131
PID 1132 set thread context of 836	1132	saaa.exe	141
PID 844 set thread context of 2008	844	saaa.exe	151
PID 2536 set thread context of 2564	2536	saaa.exe	161
PID 2164 set thread context of 2200	2164	saaa.exe	171
PID 2148 set thread context of 2208	2148	saaa.exe	181
PID 1632 set thread context of 2360	1632	saaa.exe	191
PID 2204 set thread context of 2064	2204	saaa.exe	201
PID 2188 set thread context of 2136	2188	saaa.exe	211
PID 844 set thread context of 1312	844	saaa.exe	221
PID 2180 set thread context of 2188	2180	saaa.exe	231
PID 1096 set thread context of 2488	1096	saaa.exe	241
PID 1236 set thread context of 2880	1236	saaa.exe	251
PID 1144 set thread context of 2188	1144	saaa.exe	261
PID 1144 set thread context of 1224	1144	saaa.exe	271
PID 3236 set thread context of 3276	3236	saaa.exe	281
PID 3412 set thread context of 3456	3412	saaa.exe	291
PID 3596 set thread context of 3636	3596	saaa.exe	301
PID 3776 set thread context of 3816	3776	saaa.exe	311
PID 3960 set thread context of 4000	3960	saaa.exe	321
PID 2188 set thread context of 3128	2188	saaa.exe	331
PID 3280 set thread context of 3424	3280	saaa.exe	341

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2784-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2784-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2784-13-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2784-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2784-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2628-43-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2628-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\downswae\saaa.exe	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
File created	C:\Windows\downswae\saaa.exe	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saaa.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
2720	saaa.exe
2720	saaa.exe
2720	saaa.exe
2524	saaa.exe
2524	saaa.exe
2524	saaa.exe
1640	saaa.exe
1640	saaa.exe
1640	saaa.exe
784	saaa.exe
784	saaa.exe
784	saaa.exe
2288	saaa.exe
2288	saaa.exe
2288	saaa.exe
2016	saaa.exe
2016	saaa.exe
2016	saaa.exe
2368	saaa.exe
2368	saaa.exe
2368	saaa.exe
2204	saaa.exe
2204	saaa.exe
2204	saaa.exe
1040	saaa.exe
1040	saaa.exe
1040	saaa.exe
2244	saaa.exe
2244	saaa.exe
2244	saaa.exe
1132	saaa.exe
1132	saaa.exe
1132	saaa.exe
844	saaa.exe
844	saaa.exe
844	saaa.exe
2536	saaa.exe
2536	saaa.exe
2536	saaa.exe
2164	saaa.exe
2164	saaa.exe
2164	saaa.exe
2148	saaa.exe
2148	saaa.exe
2148	saaa.exe
1632	saaa.exe
1632	saaa.exe
1632	saaa.exe
2204	saaa.exe
2204	saaa.exe
2204	saaa.exe
2188	saaa.exe
2188	saaa.exe
2188	saaa.exe
844	saaa.exe
844	saaa.exe
844	saaa.exe
2180	saaa.exe
2180	saaa.exe
2180	saaa.exe
1096	saaa.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
2720	saaa.exe
2720	saaa.exe
2720	saaa.exe
2524	saaa.exe
2524	saaa.exe
2524	saaa.exe
1640	saaa.exe
1640	saaa.exe
1640	saaa.exe
784	saaa.exe
784	saaa.exe
784	saaa.exe
2288	saaa.exe
2288	saaa.exe
2288	saaa.exe
2016	saaa.exe
2016	saaa.exe
2016	saaa.exe
2368	saaa.exe
2368	saaa.exe
2368	saaa.exe
2204	saaa.exe
2204	saaa.exe
2204	saaa.exe
1040	saaa.exe
1040	saaa.exe
1040	saaa.exe
2244	saaa.exe
2244	saaa.exe
2244	saaa.exe
1132	saaa.exe
1132	saaa.exe
1132	saaa.exe
844	saaa.exe
844	saaa.exe
844	saaa.exe
2536	saaa.exe
2536	saaa.exe
2536	saaa.exe
2164	saaa.exe
2164	saaa.exe
2164	saaa.exe
2148	saaa.exe
2148	saaa.exe
2148	saaa.exe
1632	saaa.exe
1632	saaa.exe
1632	saaa.exe
2204	saaa.exe
2204	saaa.exe
2204	saaa.exe
2188	saaa.exe
2188	saaa.exe
2188	saaa.exe
844	saaa.exe
844	saaa.exe
844	saaa.exe
2180	saaa.exe
2180	saaa.exe
2180	saaa.exe
1096	saaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 3040 wrote to memory of 2784	3040	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	30
PID 2784 wrote to memory of 2820	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	31
PID 2784 wrote to memory of 2820	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	31
PID 2784 wrote to memory of 2820	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	31
PID 2784 wrote to memory of 2820	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	31
PID 2784 wrote to memory of 2820	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	31
PID 2784 wrote to memory of 2796	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	32
PID 2784 wrote to memory of 2796	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	32
PID 2784 wrote to memory of 2796	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	32
PID 2784 wrote to memory of 2796	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	32
PID 2784 wrote to memory of 2796	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	32
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	33
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	33
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	33
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	33
PID 2784 wrote to memory of 2744	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	33
PID 2784 wrote to memory of 2264	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	34
PID 2784 wrote to memory of 2264	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	34
PID 2784 wrote to memory of 2264	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	34
PID 2784 wrote to memory of 2264	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	34
PID 2784 wrote to memory of 2264	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	34
PID 2784 wrote to memory of 2860	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	35
PID 2784 wrote to memory of 2860	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	35
PID 2784 wrote to memory of 2860	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	35
PID 2784 wrote to memory of 2860	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	35
PID 2784 wrote to memory of 2860	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	35
PID 2784 wrote to memory of 2584	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	36
PID 2784 wrote to memory of 2584	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	36
PID 2784 wrote to memory of 2584	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	36
PID 2784 wrote to memory of 2584	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	36
PID 2784 wrote to memory of 2584	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	36
PID 2784 wrote to memory of 2740	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	37
PID 2784 wrote to memory of 2740	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	37
PID 2784 wrote to memory of 2740	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	37
PID 2784 wrote to memory of 2740	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	37
PID 2784 wrote to memory of 2740	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	37
PID 2784 wrote to memory of 1508	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	38
PID 2784 wrote to memory of 1508	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	38
PID 2784 wrote to memory of 1508	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	38
PID 2784 wrote to memory of 1508	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	38
PID 2784 wrote to memory of 2720	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	39
PID 2784 wrote to memory of 2720	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	39
PID 2784 wrote to memory of 2720	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	39
PID 2784 wrote to memory of 2720	2784	JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe	39
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2720 wrote to memory of 2628	2720	saaa.exe	40
PID 2628 wrote to memory of 1092	2628	saaa.exe	41
PID 2628 wrote to memory of 1092	2628	saaa.exe	41
PID 2628 wrote to memory of 1092	2628	saaa.exe	41
PID 2628 wrote to memory of 1092	2628	saaa.exe	41
PID 2628 wrote to memory of 1092	2628	saaa.exe	41
PID 2628 wrote to memory of 932	2628	saaa.exe	42
PID 2628 wrote to memory of 932	2628	saaa.exe	42
PID 2628 wrote to memory of 932	2628	saaa.exe	42
PID 2628 wrote to memory of 932	2628	saaa.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80fae472f8dc5bcee4ed2191088a18c7.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2820
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2796
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2744
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2264
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2860
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2584
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1508
- - C:\Windows\downswae\saaa.exe
    "C:\Windows\downswae\saaa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\downswae\saaa.exe
      "C:\Windows\downswae\saaa.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1092
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:932
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1512
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1296
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2160
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2196
    - - C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2524
      - C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1280
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1640
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2872
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:784
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1424
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2288
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2068
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2016
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2380
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2368
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2680
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:576
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1040
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:828
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2244
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1812
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1132
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1716
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:844
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2684
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2536
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2824
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2164
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1972
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2148
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1672
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1632
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2668
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1960
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2188
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2932
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:844
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        40⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1776
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2180
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1004
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1096
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:3064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2252
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2084
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:3040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1096
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        50⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3224
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        52⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3400
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3584
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        56⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3764
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        58⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3948
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3080
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        62⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3320
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\downswae\saaa.exe
        
        "C:\Windows\downswae\saaa.exe"
        64⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PE-SCRYPTED.BIN

Filesize
19KB

MD5
8051053e3d903fbb35073cfe640a75e9

SHA1
e9c9c68de3155f94fff20a0fc1ecf3479c96239e

SHA256
c31522f6755d2e5d161e2c9ae6f4f705c85ac301ae5da3b7d64e5e36f31305fc

SHA512
9198e7dbea9e722a74755c09e13e7fad01fb0431494a5049210388baee6e4c3ae3ce5048baca85199ca908cc454f5c7c91081684a99bcc637ec0ce077299caeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
135b08bad59f12918f90ce3e59c5ad9a

SHA1
75ccf34aa643b63b48629bfd3c507e96c9f6019f

SHA256
75c7341da8f0235c3fd45140c5b38f3892162f3759ab42c1112c8956e8d8bacb

SHA512
2e01b60fc1272388763e54f62e6efa1d3758fe4dce3017b90b64b751aa277473aa4a0315ae1dd449c8f598b9889a3e9c9f5f93ad58f145ba0721a8880f1121a5

Download Submit
\Windows\downswae\saaa.exe

Filesize
638KB

MD5
80fae472f8dc5bcee4ed2191088a18c7

SHA1
c642feadabeef69b0b767ad6fa62dfcac323d835

SHA256
9b9ead362e99714a74079a2d0d2506686bdbfb1d41a565e1ee4ecdea6bc34b63

SHA512
8f0cc461be72ac418ab2788913c89ed57e5fa5322fefd6cda0934e95fd24f9cb826f082791f3254f890c46ad969b9ad9edac210b3fb8ffb13fed38eab7ee6199

Download Submit
memory/2628-43-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2628-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-15-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-13-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2784-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads