xtremerat | babd8d0db22a6c7d0a9f21ba477f87964d6a05e1673cc9271a6a687f13f53621

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
Size

76KB
MD5

2655a561cab708a2f5cb053942f3e510
SHA1

dfccf9e17a91e0d1fe2267284de4772adeaa4325
SHA256

babd8d0db22a6c7d0a9f21ba477f87964d6a05e1673cc9271a6a687f13f53621
SHA512

3921b8c92e79d7e77e7316d34b57a14926a8548bebd1b275cdd5229c06cd2fecb4448f99d811e58c0defce45d6f4c66f4af3f7951f7bf1efa971ebda65557e68
SSDEEP

1536:Bb6HygArDJUvOEfmhkM/Wsqq16jIR751FjOzow3OmI3/XU4lRtMi7p2J:deygoU2OmXWsojIR91FW+mh4lR9i

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 46 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-2-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2956-16-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1796-18-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1796-22-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2892-24-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2892-29-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1704-31-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1704-35-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3024-41-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1052-42-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1052-45-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/308-51-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2088-55-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1256-61-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2504-65-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1716-72-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2272-77-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1604-82-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2752-83-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2752-86-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2248-92-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1936-93-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1936-96-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2256-102-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/576-103-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/576-106-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1552-113-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1984-112-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1552-117-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2700-122-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1744-123-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1744-126-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2380-132-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/912-131-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/2380-135-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/816-141-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1200-142-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/1200-145-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3084-151-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3208-152-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3208-156-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3324-161-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3444-162-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3444-166-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3568-171-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat
behavioral1/memory/3688-175-0x0000000000C80000-0x0000000000CAE000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

Executes dropped EXE 32 IoCs

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

pid	process
1796	Server.exe
2892	Server.exe
1704	Server.exe
3024	Server.exe
1052	Server.exe
308	Server.exe
2088	Server.exe
1256	Server.exe
2504	Server.exe
1716	Server.exe
2272	Server.exe
1604	Server.exe
2752	Server.exe
2248	Server.exe
1936	Server.exe
2256	Server.exe
576	Server.exe
1984	Server.exe
1552	Server.exe
2700	Server.exe
1744	Server.exe
912	Server.exe
2380	Server.exe
816	Server.exe
1200	Server.exe
3084	Server.exe
3208	Server.exe
3324	Server.exe
3444	Server.exe
3568	Server.exe
3688	Server.exe
3808	Server.exe

Loads dropped DLL 2 IoCs

Processes:

2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe

pid process

2956 2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
2956 2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe

pid	process
2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Drops file in Windows directory 2 IoCs

Processes:

2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exeServer.exe

description	pid	process	target process
PID 2956 wrote to memory of 896	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 896	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 896	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 896	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 896	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2140	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2140	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2140	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2140	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2140	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1672	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1672	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1672	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1672	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1672	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2424	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2424	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2424	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2424	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2424	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2444	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2444	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2444	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2444	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2444	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2900	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2900	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2900	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2900	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2900	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2128	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2128	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2128	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2128	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 2128	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1156	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1156	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1156	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1156	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	iexplore.exe
PID 2956 wrote to memory of 1796	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	Server.exe
PID 2956 wrote to memory of 1796	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	Server.exe
PID 2956 wrote to memory of 1796	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	Server.exe
PID 2956 wrote to memory of 1796	2956	2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe	Server.exe
PID 1796 wrote to memory of 2792	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2792	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2792	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2792	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2792	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2740	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2740	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2740	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2740	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2740	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2788	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2788	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2788	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2788	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2788	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2780	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2780	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2780	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2780	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2780	1796	Server.exe	iexplore.exe
PID 1796 wrote to memory of 2724	1796	Server.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2655a561cab708a2f5cb053942f3e510_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1156

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2236

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3008

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2992

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1064

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:3036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2492

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2516

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:784

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1668

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2144

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2356

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:672

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
13⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2676

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:1980

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
15⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:3004

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:548

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
17⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:956

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
18⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2260

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
19⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:2348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:2272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:844

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
20⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2204

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
21⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:3024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1844

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
22⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:996

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
23⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2976

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
24⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:3012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1764

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
25⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2004

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
26⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1356

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
27⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3192

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
28⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3312

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
29⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3432

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3556

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
31⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3676

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
32⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3796

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
33⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
34⤵
PID:3844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
34⤵
PID:3856

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\zH+y8.cfg
Filesize
1KB

MD5
c8a0377a1f9cd1f2356ac87b70e38b27

SHA1
5e442464403e82e9339a6b056c063ce6dd377be4

SHA256
0c1e29bb4c7e9772d649cac6205635953a70b97ef00ae0fd3090217ac1da2298

SHA512
c08fcea7bc450b94772441bba41e1a30d5991e0ef3634ce5e2565f48d938935672c4cb898af0fc8a984eae13d124d5ec4bc2e188292b07d04ea2a7197b9f85ca

Download Submit
\Windows\InstallDir\Server.exe
Filesize
76KB

MD5
2655a561cab708a2f5cb053942f3e510

SHA1
dfccf9e17a91e0d1fe2267284de4772adeaa4325

SHA256
babd8d0db22a6c7d0a9f21ba477f87964d6a05e1673cc9271a6a687f13f53621

SHA512
3921b8c92e79d7e77e7316d34b57a14926a8548bebd1b275cdd5229c06cd2fecb4448f99d811e58c0defce45d6f4c66f4af3f7951f7bf1efa971ebda65557e68

Download Submit
memory/308-51-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/576-103-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/576-106-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/816-141-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/912-131-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1052-42-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1052-45-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1200-142-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1200-145-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1256-61-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1552-117-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1552-113-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1604-82-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1704-31-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1704-35-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1704-30-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1716-67-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1716-72-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1744-126-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1744-123-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1796-18-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1796-22-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1796-17-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1936-93-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1936-96-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1984-112-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2088-52-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2088-55-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2248-92-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2256-102-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2272-77-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2272-73-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2380-135-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2380-132-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2504-65-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2504-62-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2700-122-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2752-83-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2752-86-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2892-29-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2892-24-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2956-1-0x0000000000C92000-0x0000000000C93000-memory.dmp

Filesize
4KB

Download
memory/2956-0-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2956-16-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2956-2-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/2956-9-0x0000000002D30000-0x0000000002D5E000-memory.dmp

Filesize
184KB

Download
memory/3024-36-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3024-41-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3084-151-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3208-152-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3208-156-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3324-161-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3444-162-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3444-166-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3568-171-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3688-172-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/3688-175-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads