xtremerat | bb601ed2ce32c04f9aa2f377ca9efbe43ab5616a790b546bdf66f4ccc630916b

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
Size

420KB
MD5

182bec1c5055f7dae654b2b4564f132d
SHA1

a3c53f08f533cdaaa7e4c36a05f705096e7cdc12
SHA256

bb601ed2ce32c04f9aa2f377ca9efbe43ab5616a790b546bdf66f4ccc630916b
SHA512

c1c51360119a29840e7fef2b59df66c4fa038cceae6ceb45c029872d8ce16d68ee0f517d0bc4970f27ef243979311e46cf1f5c0197aebaf391ae3a7fef99bc12
SSDEEP

12288:M/xK4HINhCuu2lL/kDES/7bwmuq9ec4tshZ:QHHKhgOLW/nvcPG

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/3052-20-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-15-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-13-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-11-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-3-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3052-5-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 46 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O7BTCGC1-O86G-KAPR-7IMV-I74QA20QE8U0}	Server.exe

Executes dropped EXE 45 IoCs

pid	Process
2644	Server.exe
2440	Server.exe
2916	Server.exe
2032	Server.exe
1880	Server.exe
1640	Server.exe
2712	Server.exe
2060	Server.exe
3044	Server.exe
1984	Server.exe
780	Server.exe
952	Server.exe
564	Server.exe
1704	Server.exe
1836	Server.exe
1904	Server.exe
2868	Server.exe
1652	Server.exe
2172	Server.exe
1784	Server.exe
2112	Server.exe
3044	Server.exe
1100	Server.exe
780	Server.exe
2884	Server.exe
2536	Server.exe
1800	Server.exe
2204	Server.exe
2248	Server.exe
2104	Server.exe
1080	Server.exe
2932	Server.exe
1836	Server.exe
2676	Server.exe
2208	Server.exe
1268	Server.exe
1960	Server.exe
1760	Server.exe
2644	Server.exe
2460	Server.exe
2112	Server.exe
1976	Server.exe
1588	Server.exe
2152	Server.exe
2300	Server.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 2644 set thread context of 2440	2644	Server.exe	38
PID 2916 set thread context of 2032	2916	Server.exe	48
PID 1880 set thread context of 1640	1880	Server.exe	58
PID 2712 set thread context of 2060	2712	Server.exe	68
PID 3044 set thread context of 1984	3044	Server.exe	78
PID 780 set thread context of 952	780	Server.exe	88
PID 564 set thread context of 1704	564	Server.exe	100
PID 1836 set thread context of 1904	1836	Server.exe	110
PID 2868 set thread context of 1652	2868	Server.exe	120
PID 2172 set thread context of 1784	2172	Server.exe	130
PID 2112 set thread context of 3044	2112	Server.exe	140
PID 1100 set thread context of 780	1100	Server.exe	150
PID 2884 set thread context of 2536	2884	Server.exe	160
PID 1800 set thread context of 2204	1800	Server.exe	170
PID 2248 set thread context of 2104	2248	Server.exe	180
PID 1080 set thread context of 2932	1080	Server.exe	190
PID 1836 set thread context of 2676	1836	Server.exe	200
PID 2208 set thread context of 1268	2208	Server.exe	210
PID 1960 set thread context of 1760	1960	Server.exe	220
PID 2644 set thread context of 2460	2644	Server.exe	230
PID 2112 set thread context of 1976	2112	Server.exe	240
PID 1588 set thread context of 2152	1588	Server.exe	250

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 1848 wrote to memory of 3052	1848	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	28
PID 3052 wrote to memory of 2016	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2016	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2016	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2016	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2016	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2252	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2252	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2252	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2252	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2252	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2020	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2020	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2020	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2020	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2020	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2360	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2360	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2360	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2360	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2360	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	32
PID 3052 wrote to memory of 3068	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	33
PID 3052 wrote to memory of 3068	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	33
PID 3052 wrote to memory of 3068	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	33
PID 3052 wrote to memory of 3068	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	33
PID 3052 wrote to memory of 3068	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	33
PID 3052 wrote to memory of 2572	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2572	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2572	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2572	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2572	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2560	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2560	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2560	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2560	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2560	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2588	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	36
PID 3052 wrote to memory of 2588	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	36
PID 3052 wrote to memory of 2588	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	36
PID 3052 wrote to memory of 2588	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	36
PID 3052 wrote to memory of 2644	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	37
PID 3052 wrote to memory of 2644	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	37
PID 3052 wrote to memory of 2644	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	37
PID 3052 wrote to memory of 2644	3052	182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38
PID 2644 wrote to memory of 2440	2644	Server.exe	38

C:\Users\Admin\AppData\Local\Temp\182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\182bec1c5055f7dae654b2b4564f132d_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2016
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2252
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2020
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3068
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2572
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2560
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2588
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\InstallDir\Server.exe
      C:\Windows\InstallDir\Server.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:2440
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2488
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2464
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2480
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2848
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2916
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1200
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2720
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2712
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2092
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3044
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1112
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:780
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1456
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:564
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:312
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1836
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2968
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2868
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1668
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2172
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2060
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2112
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1748
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1100
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2764
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2884
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1972
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1800
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:836
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2248
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1692
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1836
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1156
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2208
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1948
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1960
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        40⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2468
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2644
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1476
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2112
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:3040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2716
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1588
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1952
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        47⤵
        Executes dropped EXE
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TnmBfQ9.cfg

Filesize
1KB

MD5
620576551af5bc632902e75ecc11ec2f

SHA1
7cdc1050f61ff4ffc83e3e50aa790a99e26dbaaf

SHA256
a91d20fe5645d0d55d11a2fa90d9b9679cb3012a2ac6f494d9c72998c06f6140

SHA512
063f552cc3e0145563d49e58aad6bbb427f16ab24e02d009dbea5a67a156f562bf2e1e4d364652ed9c08c1ca682a1af1587f596899787e77e68afdea66583cd4

Download Submit
\Windows\InstallDir\Server.exe

Filesize
420KB

MD5
182bec1c5055f7dae654b2b4564f132d

SHA1
a3c53f08f533cdaaa7e4c36a05f705096e7cdc12

SHA256
bb601ed2ce32c04f9aa2f377ca9efbe43ab5616a790b546bdf66f4ccc630916b

SHA512
c1c51360119a29840e7fef2b59df66c4fa038cceae6ceb45c029872d8ce16d68ee0f517d0bc4970f27ef243979311e46cf1f5c0197aebaf391ae3a7fef99bc12

Download Submit
memory/1848-19-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/1848-0-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2644-53-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/2644-32-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2916-77-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/2916-57-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3052-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-2-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-11-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-20-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3052-1-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads