Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 14:09
Behavioral task
behavioral1
Sample
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
-
Size
47KB
-
MD5
5352d2f8ae61a3d1e25915d0bf9ae0f3
-
SHA1
bb3645d3ab000883698684bb0069151e25cfec21
-
SHA256
636b5de6c26209dffb13c6ae0cb3f8cce92b3a734a7f4a0f64eb71236a323ccf
-
SHA512
b6bfe4e79047b4bc57f6c4acf3b2c2ef916c286b24119414b09f3dbc7d4e81ffd0a69ab176a6d2a3524a63faee316eac093c60a6c4ca1225723eb2e3cd7b89ab
-
SSDEEP
768:feWP5ftbi5Cx55Y5Mt0d3K062tuROGtkiIDWNmWsS6YrhtYpcCl7nBtJQ:feEftbd5iuKxr3GOGtlUPaXhtAcCdBty
Malware Config
Extracted
xtremerat
hitler96.no-ip.org
Signatures
-
Detect XtremeRAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2712-3-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2712-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2712-4-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2712-9-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2688-18-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2712-24-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2688-224-0x0000000002840000-0x0000000002878000-memory.dmp family_xtremerat behavioral1/memory/2688-273-0x0000000002840000-0x0000000002878000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exesvchost.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe -
Executes dropped EXE 64 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid Process 2852 Server.exe 2632 Server.exe 2072 Server.exe 1956 Server.exe 1232 Server.exe 2940 Server.exe 1784 Server.exe 2388 Server.exe 2384 Server.exe 1136 Server.exe 276 Server.exe 1480 Server.exe 3064 Server.exe 2180 Server.exe 2212 Server.exe 1000 Server.exe 1532 Server.exe 880 Server.exe 2572 Server.exe 2624 Server.exe 1912 Server.exe 2124 Server.exe 2812 Server.exe 3012 Server.exe 1352 Server.exe 1928 Server.exe 2476 Server.exe 1356 Server.exe 1480 Server.exe 2304 Server.exe 1740 Server.exe 3028 Server.exe 2832 Server.exe 2712 Server.exe 2120 Server.exe 2424 Server.exe 2768 Server.exe 2124 Server.exe 1988 Server.exe 1048 Server.exe 1608 Server.exe 1532 Server.exe 1020 Server.exe 2012 Server.exe 1884 Server.exe 1452 Server.exe 1084 Server.exe 696 Server.exe 1612 Server.exe 1748 Server.exe 880 Server.exe 1608 Server.exe 1912 Server.exe 1020 Server.exe 3036 Server.exe 1052 Server.exe 2396 Server.exe 1372 Server.exe 3132 Server.exe 3152 Server.exe 3252 Server.exe 3276 Server.exe 3344 Server.exe 3372 Server.exe -
Loads dropped DLL 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exesvchost.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid Process 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 2632 Server.exe 2632 Server.exe 2688 svchost.exe 2688 svchost.exe 1956 Server.exe 1956 Server.exe 2688 svchost.exe 2688 svchost.exe 2388 Server.exe 2388 Server.exe 1136 Server.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2124 Server.exe 2124 Server.exe 2688 svchost.exe 2688 svchost.exe 2476 Server.exe 2476 Server.exe 2304 Server.exe 2688 svchost.exe 2688 svchost.exe 2832 Server.exe 2832 Server.exe 2712 Server.exe 2712 Server.exe 2688 svchost.exe 2688 svchost.exe 1048 Server.exe 1048 Server.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 1608 Server.exe 1608 Server.exe 1052 Server.exe 1052 Server.exe 1372 Server.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 3856 Server.exe 3856 Server.exe 1496 Server.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 3888 Server.exe 3888 Server.exe 3676 Server.exe 2688 svchost.exe 2688 svchost.exe 4300 Server.exe -
Processes:
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2712-8-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2096-6-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/files/0x0008000000016d49-19.dat upx behavioral1/memory/2852-31-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2072-54-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1232-66-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-65-0x0000000000390000-0x00000000003C8000-memory.dmp upx behavioral1/memory/1232-73-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1784-83-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1784-87-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/276-108-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2384-107-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3064-133-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2212-144-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2572-166-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1912-180-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1912-175-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2812-199-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1928-216-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1352-213-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1352-207-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-224-0x0000000002840000-0x0000000002878000-memory.dmp upx behavioral1/memory/1480-232-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1740-248-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3028-249-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3028-253-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2768-274-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2768-279-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1988-289-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-296-0x0000000002A40000-0x0000000002A78000-memory.dmp upx behavioral1/memory/1020-312-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1884-316-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1084-324-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1084-330-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1612-338-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/880-345-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-353-0x0000000002CC0000-0x0000000002CF8000-memory.dmp upx behavioral1/memory/1912-359-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2396-373-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3132-390-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1372-393-0x0000000003560000-0x0000000003598000-memory.dmp upx behavioral1/memory/3252-398-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-406-0x00000000043D0000-0x0000000004408000-memory.dmp upx behavioral1/memory/3500-419-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3620-426-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3460-472-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3536-475-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3532-516-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3196-518-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3532-521-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3152-532-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4072-540-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1052-550-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1052-547-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3704-558-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3888-586-0x00000000036A0000-0x00000000036D8000-memory.dmp upx behavioral1/memory/4668-625-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2688-633-0x0000000004340000-0x0000000004378000-memory.dmp upx behavioral1/memory/4788-641-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/5100-663-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4632-686-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4752-699-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4732-707-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription pid Process procid_target PID 2096 set thread context of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2852 set thread context of 2632 2852 Server.exe 41 PID 2072 set thread context of 1956 2072 Server.exe 51 PID 1232 set thread context of 2940 1232 Server.exe 54 PID 1784 set thread context of 2388 1784 Server.exe 70 PID 2384 set thread context of 1136 2384 Server.exe 74 PID 276 set thread context of 1480 276 Server.exe 76 PID 3064 set thread context of 2180 3064 Server.exe 93 PID 2212 set thread context of 1000 2212 Server.exe 96 PID 1532 set thread context of 880 1532 Server.exe 98 PID 2572 set thread context of 2624 2572 Server.exe 114 PID 1912 set thread context of 2124 1912 Server.exe 118 PID 2812 set thread context of 3012 2812 Server.exe 121 PID 1352 set thread context of 2476 1352 Server.exe 139 PID 1928 set thread context of 1356 1928 Server.exe 140 PID 1480 set thread context of 2304 1480 Server.exe 143 PID 1740 set thread context of 2832 1740 Server.exe 161 PID 3028 set thread context of 2712 3028 Server.exe 162 PID 2120 set thread context of 2424 2120 Server.exe 166 PID 2768 set thread context of 2124 2768 Server.exe 188 PID 1988 set thread context of 1048 1988 Server.exe 191 PID 1608 set thread context of 1532 1608 Server.exe 194 PID 1020 set thread context of 2012 1020 Server.exe 210 PID 1884 set thread context of 1452 1884 Server.exe 213 PID 1084 set thread context of 696 1084 Server.exe 229 PID 1612 set thread context of 1748 1612 Server.exe 233 PID 880 set thread context of 1608 880 Server.exe 243 PID 1912 set thread context of 1020 1912 Server.exe 247 PID 3036 set thread context of 1052 3036 Server.exe 261 PID 2396 set thread context of 1372 2396 Server.exe 267 PID 3132 set thread context of 3152 3132 Server.exe 281 PID 3252 set thread context of 3276 3252 Server.exe 288 PID 3344 set thread context of 3372 3344 Server.exe 292 PID 3500 set thread context of 3516 3500 Server.exe 303 PID 3620 set thread context of 3644 3620 Server.exe 312 PID 3680 set thread context of 3716 3680 Server.exe 315 PID 3860 set thread context of 3880 3860 Server.exe 329 PID 4008 set thread context of 4024 4008 Server.exe 341 PID 4056 set thread context of 4072 4056 Server.exe 344 PID 3312 set thread context of 3328 3312 Server.exe 360 PID 3460 set thread context of 3156 3460 Server.exe 370 PID 3536 set thread context of 3652 3536 Server.exe 374 PID 3732 set thread context of 3856 3732 Server.exe 378 PID 1648 set thread context of 1496 1648 Server.exe 392 PID 3196 set thread context of 3112 3196 Server.exe 398 PID 3532 set thread context of 3640 3532 Server.exe 400 PID 3152 set thread context of 1648 3152 Server.exe 414 PID 4072 set thread context of 3876 4072 Server.exe 418 PID 1052 set thread context of 3312 1052 Server.exe 432 PID 3704 set thread context of 3908 3704 Server.exe 438 PID 3856 set thread context of 3888 3856 Server.exe 448 PID 1648 set thread context of 3676 1648 Server.exe 451 PID 4272 set thread context of 4300 4272 Server.exe 468 PID 4332 set thread context of 4356 4332 Server.exe 470 PID 4460 set thread context of 4484 4460 Server.exe 474 PID 4668 set thread context of 4692 4668 Server.exe 490 PID 4788 set thread context of 4828 4788 Server.exe 495 PID 4796 set thread context of 4852 4796 Server.exe 496 PID 5100 set thread context of 2284 5100 Server.exe 515 PID 5092 set thread context of 4108 5092 Server.exe 514 PID 4320 set thread context of 4324 4320 Server.exe 519 PID 4632 set thread context of 4652 4632 Server.exe 534 PID 4752 set thread context of 4768 4752 Server.exe 537 PID 4732 set thread context of 4872 4732 Server.exe 553 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid Process 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 2852 Server.exe 2072 Server.exe 1232 Server.exe 1784 Server.exe 2384 Server.exe 276 Server.exe 3064 Server.exe 2212 Server.exe 1532 Server.exe 2572 Server.exe 1912 Server.exe 2812 Server.exe 1352 Server.exe 1928 Server.exe 1480 Server.exe 1740 Server.exe 3028 Server.exe 2120 Server.exe 2768 Server.exe 1988 Server.exe 1608 Server.exe 1020 Server.exe 1884 Server.exe 1084 Server.exe 1612 Server.exe 880 Server.exe 1912 Server.exe 3036 Server.exe 2396 Server.exe 3132 Server.exe 3252 Server.exe 3344 Server.exe 3500 Server.exe 3620 Server.exe 3680 Server.exe 3860 Server.exe 4008 Server.exe 4056 Server.exe 3312 Server.exe 3460 Server.exe 3536 Server.exe 3732 Server.exe 1648 Server.exe 3196 Server.exe 3532 Server.exe 3152 Server.exe 4072 Server.exe 1052 Server.exe 3704 Server.exe 3856 Server.exe 1648 Server.exe 4272 Server.exe 4332 Server.exe 4460 Server.exe 4668 Server.exe 4788 Server.exe 4796 Server.exe 5092 Server.exe 5100 Server.exe 4320 Server.exe 4632 Server.exe 4752 Server.exe 4732 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exedescription pid Process procid_target PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2712 2096 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 30 PID 2712 wrote to memory of 2688 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2688 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2688 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2688 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2688 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2680 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2680 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2680 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2680 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2680 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2880 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 33 PID 2712 wrote to memory of 2880 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 33 PID 2712 wrote to memory of 2880 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 33 PID 2712 wrote to memory of 2880 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 33 PID 2712 wrote to memory of 2880 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 33 PID 2712 wrote to memory of 2868 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2868 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2868 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2868 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2868 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 34 PID 2712 wrote to memory of 2772 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2772 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2772 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2772 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2772 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2984 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2984 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2984 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2984 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2984 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2872 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 37 PID 2712 wrote to memory of 2872 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 37 PID 2712 wrote to memory of 2872 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 37 PID 2712 wrote to memory of 2872 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 37 PID 2712 wrote to memory of 2872 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 37 PID 2712 wrote to memory of 2208 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 38 PID 2712 wrote to memory of 2208 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 38 PID 2712 wrote to memory of 2208 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 38 PID 2712 wrote to memory of 2208 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 38 PID 2712 wrote to memory of 2208 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 38 PID 2712 wrote to memory of 2728 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 39 PID 2712 wrote to memory of 2728 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 39 PID 2712 wrote to memory of 2728 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 39 PID 2712 wrote to memory of 2728 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 39 PID 2712 wrote to memory of 2852 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 40 PID 2712 wrote to memory of 2852 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 40 PID 2712 wrote to memory of 2852 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 40 PID 2712 wrote to memory of 2852 2712 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 40 PID 2852 wrote to memory of 2632 2852 Server.exe 41 PID 2852 wrote to memory of 2632 2852 Server.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1232 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1672
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:276 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Executes dropped EXE
PID:1480
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1136 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2760
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2852
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2488
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1928 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Executes dropped EXE
PID:1356
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1532 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Executes dropped EXE
PID:880
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2204
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:660
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3032
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1472
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1480 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:884
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2320
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1000
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1020 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:984
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1084 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Executes dropped EXE
PID:696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2424
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:880 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2120
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2072
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Windows\SysWOW64\windows\Server.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:2560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:1764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:1452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:1020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:3080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:3096
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe19⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:3480
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"20⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3500 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe21⤵
- Drops file in System32 directory
PID:3516 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:3840
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"22⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3860 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe23⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3880 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:4044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3184
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:2496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:3272
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"24⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3312 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe25⤵
- Drops file in System32 directory
PID:3328 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:3224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:3280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:580
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1532 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1904
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1884 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2316
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1536
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2996
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2952
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3088
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3216
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3252 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3336
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3344 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3372 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3608
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3620 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3960
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3988
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4008 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4024 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2276
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3460 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4088
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
PID:1496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4064
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵
- Drops file in System32 directory
PID:1648 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3120
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"16⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe17⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3312 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:3564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:3396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Drops file in System32 directory
PID:3716 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3996
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4056 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Drops file in System32 directory
PID:4072 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3504
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3652 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3684
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3732 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
PID:3856 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4092
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵PID:3640
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3196 -
C:\Windows\SysWOW64\windows\Server.exe5⤵PID:3112
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3616
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4072 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3876 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3344
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3908 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3360
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3856 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
PID:3888 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4240
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4272 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Loads dropped DLL
PID:4300 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4636
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4668 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4692 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5044
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5092 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵PID:4108
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
PID:3676 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4156
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4264
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4356 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4448
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4484 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4712
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Windows\SysWOW64\windows\Server.exe7⤵PID:4828
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4960
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5068
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5100 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2284 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4432
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4420
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4632 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4652 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5032
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4732 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4872 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4808
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵PID:4788
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵
- Drops file in System32 directory
PID:4848 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:4908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:5076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:4108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2284
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:3312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:4872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:4792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:4696
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"16⤵PID:3168
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe17⤵
- Drops file in System32 directory
PID:4248 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:4360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:4656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:5084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:4188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:4732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:5128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:5152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:5180
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"18⤵PID:5192
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe19⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5216 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:5536
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"20⤵PID:5548
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe21⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5588 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:5620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:5648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:5732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:5756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:5784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4796 -
C:\Windows\SysWOW64\windows\Server.exe5⤵PID:4852
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4560
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4768 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4100
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵PID:4256
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3312 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4348
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵PID:4468
-
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Drops file in System32 directory
PID:3320 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5056
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵PID:4732
-
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3888
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"8⤵PID:3372
-
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5096 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4284
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5264
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"10⤵PID:5280
-
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5304 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5632
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵PID:5660
-
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5676 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5944
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵PID:4256
-
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4308
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵PID:4848
-
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3372 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5172
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵PID:5392
-
C:\Windows\SysWOW64\windows\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5416 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5776
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"6⤵PID:5816
-
C:\Windows\SysWOW64\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5836 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5956
-
-
-
-
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"4⤵PID:5856
-
C:\Windows\SysWOW64\windows\Server.exe5⤵PID:5872
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5964
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2728
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\windows\Server.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2148
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1956 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2256
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1176
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SysWOW64\windows\Server.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1924
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2556
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5651c77f67dfeb3aa6be44939a4e03f43
SHA199cf486e4df61ec9cacc5300d834bc7c163519a4
SHA256e29c5a8a737c184f9d0f5a0ff09213bee4c296d59c37d733be4dd5f762dd9b88
SHA512e358afa0e1afe1162dc35a5bfb3f600ee2a02709ce20dcfaa2b7b147f98acfb40a9b134c29ffae83686385ebc7cb0e1fff28f033a7f60a5199b6c540469a441f
-
Filesize
47KB
MD55352d2f8ae61a3d1e25915d0bf9ae0f3
SHA1bb3645d3ab000883698684bb0069151e25cfec21
SHA256636b5de6c26209dffb13c6ae0cb3f8cce92b3a734a7f4a0f64eb71236a323ccf
SHA512b6bfe4e79047b4bc57f6c4acf3b2c2ef916c286b24119414b09f3dbc7d4e81ffd0a69ab176a6d2a3524a63faee316eac093c60a6c4ca1225723eb2e3cd7b89ab
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e