xtremerat | 0e445703baf044431ce9a8c9c4198c56b285ad2108ace100b2469e3acb1971d9

General

Target

fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
Size

19KB
MD5

fa58cabbd68d1e46518aee4da3c88474
SHA1

d95d0b8d4df44fe546359558b350ded16548e7ee
SHA256

0e445703baf044431ce9a8c9c4198c56b285ad2108ace100b2469e3acb1971d9
SHA512

ff33fc2fe86728e759b47a3afe23ff15e35f31ef1b5fd55b2fe046afbbc1eab7c9937f542c142f4996001e799a1e2fcf4a10d2ad1f9918acde8ace0ee103d603
SSDEEP

384:EHKZfuH87GowDqGoMwevqxP6k6zIDwPVBSwdoCZ/wNJj7R:ZZfuHUvwDKP6kMpfdqN3

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 62 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2072-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2556-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2396-19-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2556-17-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2396-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2196-24-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2196-26-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2580-28-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2580-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1260-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1260-36-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/112-37-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/112-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2076-42-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2076-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1816-46-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1816-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1564-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1564-54-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1964-55-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1964-58-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/560-60-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/560-62-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2864-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2864-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2964-68-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2964-73-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2900-74-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2900-79-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2776-80-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2776-82-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1696-84-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1696-88-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2192-89-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2192-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2344-93-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2344-97-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2832-98-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2832-101-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/268-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/268-106-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1824-107-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1824-109-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1400-111-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1400-115-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-116-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-118-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1608-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1608-123-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-125-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2308-127-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3116-129-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3116-133-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3236-134-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3352-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3236-136-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3352-142-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3476-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3476-145-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3588-147-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3588-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3712-152-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exefa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\server.exe restart"	server.exe

Executes dropped EXE 31 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

pid	process
2556	server.exe
2396	server.exe
2196	server.exe
2580	server.exe
1260	server.exe
112	server.exe
2076	server.exe
1816	server.exe
1564	server.exe
1964	server.exe
560	server.exe
2864	server.exe
2964	server.exe
2900	server.exe
2776	server.exe
1696	server.exe
2192	server.exe
2344	server.exe
2832	server.exe
268	server.exe
1824	server.exe
1400	server.exe
2308	server.exe
1608	server.exe
2308	server.exe
3116	server.exe
3236	server.exe
3352	server.exe
3476	server.exe
3588	server.exe
3712	server.exe

Loads dropped DLL 2 IoCs

Processes:

fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

pid process

2072 fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
2072 fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

pid	process
2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
\Windows\InstallDir\server.exe	upx
behavioral1/memory/2072-12-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2556-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2396-19-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2556-17-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2396-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2196-24-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2196-26-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2580-28-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2580-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1260-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1260-36-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/112-37-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/112-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2076-42-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2076-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1816-46-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1816-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1564-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1564-54-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1964-55-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1964-58-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/560-60-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/560-62-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2864-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2864-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2964-68-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2964-73-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2900-74-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2900-79-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2776-80-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2776-82-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1696-84-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1696-88-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-89-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-91-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-93-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2344-97-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2832-98-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2832-101-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/268-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/268-106-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1824-107-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1824-109-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1400-111-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1400-115-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-116-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-118-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1608-120-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1608-123-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-125-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2308-127-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3116-129-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3116-133-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3236-134-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3352-138-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3236-136-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3352-142-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3476-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3476-145-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3588-147-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3588-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3712-152-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exefa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\server.exe"	server.exe

Drops file in Windows directory 2 IoCs

Processes:

fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\server.exe	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
File created	C:\Windows\InstallDir\server.exe	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 2072 wrote to memory of 2284	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2284	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2284	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2284	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2284	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2992	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2992	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2992	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2992	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2992	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 3028	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 3028	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 3028	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 3028	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 3028	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2540	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2540	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2540	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2540	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2540	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2528	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2528	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2528	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2528	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2528	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2596	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2596	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2596	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2596	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2596	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2616	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2616	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2616	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2616	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2616	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2632	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2632	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2632	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2632	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	iexplore.exe
PID 2072 wrote to memory of 2556	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	server.exe
PID 2072 wrote to memory of 2556	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	server.exe
PID 2072 wrote to memory of 2556	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	server.exe
PID 2072 wrote to memory of 2556	2072	fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe	server.exe
PID 2556 wrote to memory of 3000	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 3000	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 3000	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 3000	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 3000	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2712	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2712	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2712	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2712	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2712	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2704	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2704	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2704	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2704	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2704	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2916	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2916	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2916	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2916	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2916	2556	server.exe	iexplore.exe
PID 2556 wrote to memory of 2180	2556	server.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa58cabbd68d1e46518aee4da3c88474_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:3028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2632

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2512

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1908

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2740

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:784

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:108

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:1536

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1900

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:1548

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
11⤵
PID:1972

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:2944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
12⤵
PID:1768

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:1464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
13⤵
PID:2876

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
13⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:3012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
14⤵
PID:2548

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
15⤵
PID:2464

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
15⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
16⤵
PID:2460

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
17⤵
PID:1336

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
17⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:3056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
18⤵
PID:240

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:3016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:2612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:1940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
19⤵
PID:280

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
19⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:2808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
20⤵
PID:1156

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:3032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
21⤵
PID:660

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
21⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:1640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
22⤵
PID:2132

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
23⤵
PID:1964

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
23⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
24⤵
PID:980

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:3024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:1008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
25⤵
PID:2320

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
25⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:2412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
26⤵
PID:1956

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:1032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:3084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:3096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
27⤵
PID:3104

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
27⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
28⤵
PID:3224

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
29⤵
PID:3340

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
29⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
30⤵
PID:3464

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
31⤵
PID:3576

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
31⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
32⤵
PID:3700

C:\Windows\InstallDir\server.exe
"C:\Windows\InstallDir\server.exe"
32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
33⤵
PID:3784

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
99ebc5f2b6b8cff92c04cafc1944833f

SHA1
c552e666fb4cbba1181700f157972b28fbfa0333

SHA256
c9a5331cef39b19dd50fb834a64f887aedd416de1c8a0ba72248368d31f004f6

SHA512
14ed42aa7845fc5d6635556d9bc667ac9c38df72a074838253ae418cb9a1220aec30bf6314c13d1acffbe485663441e02998ef6267ca6be3892f7dfa32307dcf

Download Submit
\Windows\InstallDir\server.exe
Filesize
19KB

MD5
fa58cabbd68d1e46518aee4da3c88474

SHA1
d95d0b8d4df44fe546359558b350ded16548e7ee

SHA256
0e445703baf044431ce9a8c9c4198c56b285ad2108ace100b2469e3acb1971d9

SHA512
ff33fc2fe86728e759b47a3afe23ff15e35f31ef1b5fd55b2fe046afbbc1eab7c9937f542c142f4996001e799a1e2fcf4a10d2ad1f9918acde8ace0ee103d603

Download Submit
memory/112-41-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/112-37-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/268-106-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/268-102-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/560-62-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/560-60-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1260-33-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1260-36-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1400-115-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1400-111-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1564-54-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1564-51-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1608-123-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1608-120-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1696-84-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1696-88-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1816-46-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1816-50-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1824-109-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1824-107-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1964-55-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1964-58-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2072-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2072-13-0x0000000002800000-0x0000000002815000-memory.dmp

Filesize
84KB

Download
memory/2072-0-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2076-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2076-42-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-89-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-91-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2196-26-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2196-24-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-127-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-125-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-118-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2308-116-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-93-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2344-97-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2396-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2396-19-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2556-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2556-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2580-32-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2580-28-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2776-82-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2776-80-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2832-101-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2832-98-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2864-66-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2864-64-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2900-79-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2900-74-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2964-68-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2964-73-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3116-129-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3116-133-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3236-134-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3236-136-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3352-138-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3352-142-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3476-143-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3476-145-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3588-147-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3588-151-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3712-152-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads