xtremerat | 25d3cf40606d6ae25bacc67043eafce757cc3ea4f03265ba424764ba7bd1e02c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Size

614KB
MD5

ec821cc8849cc2048ef1ebece9beed93
SHA1

f4fdd00d5633ff74f96c026ac7f70108ced797c3
SHA256

25d3cf40606d6ae25bacc67043eafce757cc3ea4f03265ba424764ba7bd1e02c
SHA512

f7515701507eabc30523ae454578340a0ba8008ef4908d188e4e50e06a81143eb9448aa6e3bd66f433f24fc6c4b40ddcc5b4afa80a55a66906b7d85975b7e443
SSDEEP

12288:QEa/SrIP7l+0IusoHS5VweemGmWHZWZ7VcHOeqi7xAZKJJhDl7QdF1igXg:QEa/6YIuso0Vhm1HsZ7aHDqWKKJJ7WXw

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 9 IoCs

Processes:

resource	yara_rule
C:\Windows\InstallDir\Server.exe	family_xtremerat
behavioral2/memory/532-17-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/4980-41-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/1060-68-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/2548-91-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/4272-114-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/4356-144-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/4732-179-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat
behavioral2/memory/4112-216-0x0000000000C80000-0x0000000000D21000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 64 IoCs

Processes:

518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scrServer.exe518sara.scr518sara.scr

pid	process
432	518sara.scr
4980	Server.exe
1504	518sara.scr
4240	518sara.scr
1060	Server.exe
2484	518sara.scr
804	518sara.scr
2548	Server.exe
528	518sara.scr
2240	518sara.scr
4272	Server.exe
3164	518sara.scr
4308	518sara.scr
4356	Server.exe
396	518sara.scr
2216	518sara.scr
4732	Server.exe
224	518sara.scr
4252	518sara.scr
4112	Server.exe
4776	518sara.scr
404	518sara.scr
4376	Server.exe
3168	518sara.scr
1984	518sara.scr
3932	Server.exe
3872	518sara.scr
4860	518sara.scr
5048	Server.exe
3592	518sara.scr
2376	518sara.scr
3076	Server.exe
3004	518sara.scr
404	518sara.scr
3976	Server.exe
4532	518sara.scr
1776	518sara.scr
2496	Server.exe
4340	518sara.scr
3956	518sara.scr
5040	Server.exe
4836	518sara.scr
740	518sara.scr
3380	Server.exe
2936	518sara.scr
4028	518sara.scr
4232	Server.exe
1512	518sara.scr
4528	518sara.scr
2036	Server.exe
1868	518sara.scr
3720	518sara.scr
3080	Server.exe
4236	518sara.scr
2588	518sara.scr
2252	Server.exe
3932	518sara.scr
4272	518sara.scr
404	Server.exe
1776	518sara.scr
1524	518sara.scr
5020	Server.exe
2396	518sara.scr
60	518sara.scr

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 60 IoCs

Processes:

518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr518sara.scr

description	pid	process
PID 432 set thread context of 0	432	518sara.scr
PID 432 set thread context of 1504	432	518sara.scr	518sara.scr
PID 4240 set thread context of 0	4240	518sara.scr
PID 4240 set thread context of 2484	4240	518sara.scr	518sara.scr
PID 804 set thread context of 0	804	518sara.scr
PID 804 set thread context of 528	804	518sara.scr	518sara.scr
PID 2240 set thread context of 0	2240	518sara.scr
PID 2240 set thread context of 3164	2240	518sara.scr	518sara.scr
PID 4308 set thread context of 0	4308	518sara.scr
PID 4308 set thread context of 396	4308	518sara.scr	518sara.scr
PID 2216 set thread context of 0	2216	518sara.scr
PID 2216 set thread context of 224	2216	518sara.scr	518sara.scr
PID 4252 set thread context of 0	4252	518sara.scr
PID 4252 set thread context of 4776	4252	518sara.scr	518sara.scr
PID 404 set thread context of 0	404	518sara.scr
PID 404 set thread context of 3168	404	518sara.scr	518sara.scr
PID 1984 set thread context of 0	1984	518sara.scr
PID 1984 set thread context of 3872	1984	518sara.scr	518sara.scr
PID 4860 set thread context of 0	4860	518sara.scr
PID 4860 set thread context of 3592	4860	518sara.scr	518sara.scr
PID 2376 set thread context of 0	2376	518sara.scr
PID 2376 set thread context of 3004	2376	518sara.scr	518sara.scr
PID 404 set thread context of 0	404	518sara.scr
PID 404 set thread context of 4532	404	518sara.scr	518sara.scr
PID 1776 set thread context of 0	1776	518sara.scr
PID 1776 set thread context of 4340	1776	518sara.scr	518sara.scr
PID 3956 set thread context of 0	3956	518sara.scr
PID 3956 set thread context of 4836	3956	518sara.scr	518sara.scr
PID 740 set thread context of 0	740	518sara.scr
PID 740 set thread context of 2936	740	518sara.scr	518sara.scr
PID 4028 set thread context of 0	4028	518sara.scr
PID 4028 set thread context of 1512	4028	518sara.scr	518sara.scr
PID 4528 set thread context of 0	4528	518sara.scr
PID 4528 set thread context of 1868	4528	518sara.scr	518sara.scr
PID 3720 set thread context of 0	3720	518sara.scr
PID 3720 set thread context of 4236	3720	518sara.scr	518sara.scr
PID 2588 set thread context of 0	2588	518sara.scr
PID 2588 set thread context of 3932	2588	518sara.scr	518sara.scr
PID 4272 set thread context of 0	4272	518sara.scr
PID 4272 set thread context of 1776	4272	518sara.scr	518sara.scr
PID 1524 set thread context of 0	1524	518sara.scr
PID 1524 set thread context of 2396	1524	518sara.scr	518sara.scr
PID 60 set thread context of 0	60	518sara.scr
PID 60 set thread context of 3480	60	518sara.scr	518sara.scr
PID 3084 set thread context of 0	3084	518sara.scr
PID 3084 set thread context of 1840	3084	518sara.scr	518sara.scr
PID 1112 set thread context of 0	1112	518sara.scr
PID 1112 set thread context of 2300	1112	518sara.scr	518sara.scr
PID 1884 set thread context of 0	1884	518sara.scr
PID 1884 set thread context of 4952	1884	518sara.scr	518sara.scr
PID 5180 set thread context of 0	5180	518sara.scr
PID 5180 set thread context of 5248	5180	518sara.scr	518sara.scr
PID 5448 set thread context of 0	5448	518sara.scr
PID 5448 set thread context of 5508	5448	518sara.scr	518sara.scr
PID 5676 set thread context of 0	5676	518sara.scr
PID 5676 set thread context of 5748	5676	518sara.scr	518sara.scr
PID 5952 set thread context of 0	5952	518sara.scr
PID 5952 set thread context of 6012	5952	518sara.scr	518sara.scr
PID 5236 set thread context of 0	5236	518sara.scr
PID 5236 set thread context of 5184	5236	518sara.scr	518sara.scr

Drops file in Windows directory 2 IoCs

Processes:

ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	518sara.scr

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

pid	process
432	518sara.scr
4240	518sara.scr
804	518sara.scr
2240	518sara.scr
4308	518sara.scr
2216	518sara.scr
4252	518sara.scr
404	518sara.scr
1984	518sara.scr
4860	518sara.scr
2376	518sara.scr
404	518sara.scr
1776	518sara.scr
3956	518sara.scr
740	518sara.scr
4028	518sara.scr
4528	518sara.scr
3720	518sara.scr
2588	518sara.scr
4272	518sara.scr
1524	518sara.scr
60	518sara.scr
3084	518sara.scr
1112	518sara.scr
1884	518sara.scr
5180	518sara.scr
5448	518sara.scr
5676	518sara.scr
5952	518sara.scr
5236	518sara.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exeServer.exe518sara.scr

description	pid	process	target process
PID 532 wrote to memory of 2336	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 2336	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 2336	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4664	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4664	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4664	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 388	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 388	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 388	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4008	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4008	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4008	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 3052	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 3052	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 3052	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4552	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4552	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 4552	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 2212	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 2212	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 2212	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 1836	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 1836	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	msedge.exe
PID 532 wrote to memory of 432	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	518sara.scr
PID 532 wrote to memory of 432	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	518sara.scr
PID 532 wrote to memory of 432	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	518sara.scr
PID 532 wrote to memory of 4980	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	Server.exe
PID 532 wrote to memory of 4980	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	Server.exe
PID 532 wrote to memory of 4980	532	ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe	Server.exe
PID 4980 wrote to memory of 4292	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 4292	4980	Server.exe	msedge.exe
PID 432 wrote to memory of 0	432	518sara.scr
PID 432 wrote to memory of 0	432	518sara.scr
PID 432 wrote to memory of 0	432	518sara.scr
PID 432 wrote to memory of 0	432	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 432 wrote to memory of 1504	432	518sara.scr	518sara.scr
PID 4980 wrote to memory of 4292	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3968	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3968	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3968	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3132	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3132	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3132	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3148	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3148	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3148	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 2436	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 2436	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 2436	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3568	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3568	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3568	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3652	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3652	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 3652	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 4324	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 4324	4980	Server.exe	msedge.exe
PID 4980 wrote to memory of 4240	4980	Server.exe	518sara.scr

C:\Users\Admin\AppData\Local\Temp\ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec821cc8849cc2048ef1ebece9beed93_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
3⤵
- Executes dropped EXE
PID:1504

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
4⤵
- Executes dropped EXE
PID:2484

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
3⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
5⤵
- Executes dropped EXE
PID:528

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
4⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
6⤵
- Executes dropped EXE
PID:3164

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
7⤵
- Executes dropped EXE
PID:396

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
6⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
8⤵
- Executes dropped EXE
PID:224

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
7⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
9⤵
- Executes dropped EXE
PID:4776

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
8⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:404

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
10⤵
- Executes dropped EXE
PID:3168

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
9⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
11⤵
- Executes dropped EXE
PID:3872

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
10⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
12⤵
- Executes dropped EXE
PID:3592

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
11⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
13⤵
- Executes dropped EXE
PID:3004

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
12⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:404

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
14⤵
- Executes dropped EXE
PID:4532

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
13⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
15⤵
- Executes dropped EXE
PID:4340

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
14⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
16⤵
- Executes dropped EXE
PID:4836

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
15⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:740

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
17⤵
- Executes dropped EXE
PID:2936

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
16⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
18⤵
- Executes dropped EXE
PID:1512

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
17⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
19⤵
- Executes dropped EXE
PID:1868

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
18⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
20⤵
- Executes dropped EXE
PID:4236

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
19⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
20⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
21⤵
- Executes dropped EXE
PID:3932

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
20⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
22⤵
- Executes dropped EXE
PID:1776

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
21⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
22⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
23⤵
- Executes dropped EXE
PID:2396

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
22⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:60

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
24⤵
PID:3480

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
23⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
24⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
24⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
25⤵
PID:1840

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
24⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
25⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
26⤵
PID:2300

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
25⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
26⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
26⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
27⤵
PID:4952

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
26⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
27⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5180

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
28⤵
PID:5248

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
27⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
28⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
28⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5448

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
29⤵
PID:5508

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
28⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
29⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5676

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
30⤵
PID:5748

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
29⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
30⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
30⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5952

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
31⤵
PID:6012

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
30⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr" /S
31⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5236

C:\Users\Admin\AppData\Local\Temp\518sara.scr
"C:\Users\Admin\AppData\Local\Temp\518sara.scr"
32⤵
PID:5184

C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
31⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
32⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
32⤵
PID:5420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\518sara.scr
Filesize
572KB

MD5
1f2f33d1d4c43220d774cf377de0232d

SHA1
e66e859e4d87870e6e68d5b255c5b3a9e6401538

SHA256
ddc7977e38f7f4316e4fad68f563fca33592a766009e9321de8eeb0dc69ac438

SHA512
571aeee9936176478833d70610f7a0f7b0bc93b4e6df8f526b7e8720d0abb59cdaa498b1ed55ba8f914f4ad2c0745b2fdd01e70cf631440f7b217ea789264288

Download Submit
C:\Users\Admin\AppData\Local\Temp\518sara.scr.exe
Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
3ceeeb4b608ca8889f18528ff4f77cd4

SHA1
ef926ce5c8e7b88828553fa71289f2abd5b6161d

SHA256
440575e5d8cdebe0ead9b0e8a53e822140dd87f9c36779f9b5722f29c51cced8

SHA512
7be65ac0d11a25f4ceb422a482befd60902164d4910d17029a1cfe950e770542421ab36b37c873ac720052781fe775230931ab20f2b8db95b1d69d3523c5a955

Download Submit
C:\Windows\InstallDir\Server.exe
Filesize
614KB

MD5
ec821cc8849cc2048ef1ebece9beed93

SHA1
f4fdd00d5633ff74f96c026ac7f70108ced797c3

SHA256
25d3cf40606d6ae25bacc67043eafce757cc3ea4f03265ba424764ba7bd1e02c

SHA512
f7515701507eabc30523ae454578340a0ba8008ef4908d188e4e50e06a81143eb9448aa6e3bd66f433f24fc6c4b40ddcc5b4afa80a55a66906b7d85975b7e443

Download Submit
memory/224-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/396-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/404-217-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/404-239-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/432-22-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/432-19-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/432-28-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/432-29-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/432-16-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/432-21-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/432-18-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/432-35-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/432-24-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/528-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-17-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/804-70-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/804-75-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/804-73-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/804-71-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/804-83-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/804-69-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/804-66-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1060-68-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/1504-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1504-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2216-162-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2216-165-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2216-167-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-145-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2216-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2216-146-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2216-164-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-153-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-152-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-158-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-150-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-166-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2216-163-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2240-93-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2240-106-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2240-101-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2240-96-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2240-94-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2240-92-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2484-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2548-91-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/3164-107-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4112-216-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/4240-51-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4240-59-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4240-44-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4240-47-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4240-40-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4240-50-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4252-193-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-181-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4252-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4252-202-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-197-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-196-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4252-195-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-192-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-183-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-188-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-186-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-182-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4252-178-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4252-177-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4272-114-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/4308-116-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4308-203-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-136-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-115-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4308-118-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-128-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-117-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4308-121-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-133-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-131-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-134-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-125-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-127-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/4308-135-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4356-144-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/4732-179-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download
memory/4980-41-0x0000000000C80000-0x0000000000D21000-memory.dmp

Filesize
644KB

Download