Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 14:09
Behavioral task
behavioral1
Sample
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe
-
Size
47KB
-
MD5
5352d2f8ae61a3d1e25915d0bf9ae0f3
-
SHA1
bb3645d3ab000883698684bb0069151e25cfec21
-
SHA256
636b5de6c26209dffb13c6ae0cb3f8cce92b3a734a7f4a0f64eb71236a323ccf
-
SHA512
b6bfe4e79047b4bc57f6c4acf3b2c2ef916c286b24119414b09f3dbc7d4e81ffd0a69ab176a6d2a3524a63faee316eac093c60a6c4ca1225723eb2e3cd7b89ab
-
SSDEEP
768:feWP5ftbi5Cx55Y5Mt0d3K062tuROGtkiIDWNmWsS6YrhtYpcCl7nBtJQ:feEftbd5iuKxr3GOGtlUPaXhtAcCdBty
Malware Config
Extracted
xtremerat
hitler96.no-ip.org
Signatures
-
Detect XtremeRAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/876-3-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/876-4-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/876-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/876-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/876-73-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2432-81-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2432-82-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3828-90-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2432-93-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4176-172-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2136-338-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exesvchost.exeServer.exeServer.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\system32\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Windows\\SysWOW64\\windows\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YFTDSD7Q-MRI3-AKC4-S245-Q4G56TVM36MY}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\Server.exe restart" Server.exe -
Checks computer location settings 2 TTPs 50 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 64 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid Process 2940 Server.exe 2432 Server.exe 3948 Server.exe 2716 Server.exe 4980 Server.exe 4176 Server.exe 1056 Server.exe 1688 Server.exe 3716 Server.exe 3004 Server.exe 1164 Server.exe 4168 Server.exe 2220 Server.exe 3532 Server.exe 5020 Server.exe 3540 Server.exe 3516 Server.exe 1880 Server.exe 1256 Server.exe 3912 Server.exe 2964 Server.exe 4176 Server.exe 3712 Server.exe 3000 Server.exe 5056 Server.exe 4524 Server.exe 3532 Server.exe 540 Server.exe 4980 Server.exe 2376 Server.exe 4728 Server.exe 2136 Server.exe 2988 Server.exe 4168 Server.exe 3708 Server.exe 1404 Server.exe 4772 Server.exe 100 Server.exe 2144 Server.exe 4252 Server.exe 4068 Server.exe 4224 Server.exe 2988 Server.exe 4956 Server.exe 5148 Server.exe 5172 Server.exe 5228 Server.exe 5252 Server.exe 5480 Server.exe 5504 Server.exe 5544 Server.exe 5604 Server.exe 5976 Server.exe 6004 Server.exe 6036 Server.exe 6060 Server.exe 6120 Server.exe 5132 Server.exe 4968 Server.exe 3136 Server.exe 5024 Server.exe 3868 Server.exe 5384 Server.exe 5484 Server.exe -
Processes:
resource yara_rule behavioral2/memory/4752-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4752-5-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0009000000023464-14.dat upx behavioral2/memory/2940-72-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2940-80-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3948-94-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3948-101-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4980-166-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4980-173-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1056-184-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1056-191-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3716-197-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3716-203-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1164-211-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2220-234-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5020-245-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5020-252-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1256-260-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3516-262-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1256-271-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2964-285-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3712-296-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5056-306-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3532-318-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4980-329-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4728-340-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2988-354-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3708-361-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1404-373-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3708-371-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2144-383-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4068-386-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4068-392-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2988-400-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5148-408-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5228-416-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5480-424-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5544-431-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5544-436-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5976-444-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5976-450-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6036-458-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6120-464-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4968-469-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4968-475-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5024-483-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5384-491-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2748-499-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5720-507-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5420-566-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5500-590-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2524-588-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6024-602-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6076-606-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5500-676-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4936-683-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2452-693-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6124-702-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1080-707-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6332-717-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6420-725-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6520-733-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6944-738-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/6944-744-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File opened for modification C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\windows\ Server.exe File created C:\Windows\SysWOW64\windows\Server.exe Server.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription pid Process procid_target PID 4752 set thread context of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 2940 set thread context of 2432 2940 Server.exe 102 PID 3948 set thread context of 2716 3948 Server.exe 115 PID 4980 set thread context of 4176 4980 Server.exe 126 PID 1056 set thread context of 1688 1056 Server.exe 129 PID 3716 set thread context of 3004 3716 Server.exe 146 PID 1164 set thread context of 4168 1164 Server.exe 148 PID 2220 set thread context of 3532 2220 Server.exe 151 PID 5020 set thread context of 3540 5020 Server.exe 176 PID 3516 set thread context of 1880 3516 Server.exe 178 PID 1256 set thread context of 3912 1256 Server.exe 181 PID 2964 set thread context of 4176 2964 Server.exe 183 PID 3712 set thread context of 3000 3712 Server.exe 209 PID 5056 set thread context of 4524 5056 Server.exe 212 PID 3532 set thread context of 540 3532 Server.exe 215 PID 4980 set thread context of 2376 4980 Server.exe 233 PID 4728 set thread context of 2136 4728 Server.exe 243 PID 2988 set thread context of 4168 2988 Server.exe 246 PID 3708 set thread context of 4772 3708 Server.exe 264 PID 1404 set thread context of 100 1404 Server.exe 265 PID 2144 set thread context of 4252 2144 Server.exe 268 PID 4068 set thread context of 4224 4068 Server.exe 285 PID 2988 set thread context of 4956 2988 Server.exe 288 PID 5148 set thread context of 5172 5148 Server.exe 304 PID 5228 set thread context of 5252 5228 Server.exe 307 PID 5480 set thread context of 5504 5480 Server.exe 317 PID 5544 set thread context of 5604 5544 Server.exe 320 PID 5976 set thread context of 6004 5976 Server.exe 338 PID 6036 set thread context of 6060 6036 Server.exe 340 PID 6120 set thread context of 5132 6120 Server.exe 343 PID 4968 set thread context of 3136 4968 Server.exe 360 PID 5024 set thread context of 3868 5024 Server.exe 362 PID 5384 set thread context of 5484 5384 Server.exe 365 PID 2748 set thread context of 3368 2748 Server.exe 381 PID 5720 set thread context of 5804 5720 Server.exe 383 PID 5420 set thread context of 5452 5420 Server.exe 401 PID 2524 set thread context of 5572 2524 Server.exe 404 PID 5500 set thread context of 4308 5500 Server.exe 405 PID 6024 set thread context of 4224 6024 Server.exe 416 PID 6076 set thread context of 1388 6076 Server.exe 417 PID 5500 set thread context of 5468 5500 Server.exe 427 PID 4936 set thread context of 3780 4936 Server.exe 429 PID 2452 set thread context of 5392 2452 Server.exe 447 PID 6124 set thread context of 832 6124 Server.exe 451 PID 1080 set thread context of 6064 1080 Server.exe 452 PID 6332 set thread context of 6364 6332 Server.exe 480 PID 6420 set thread context of 6468 6420 Server.exe 484 PID 6520 set thread context of 6544 6520 Server.exe 486 PID 6944 set thread context of 7012 6944 Server.exe 515 PID 6996 set thread context of 7052 6996 Server.exe 516 PID 7144 set thread context of 1920 7144 Server.exe 520 PID 7164 set thread context of 5152 7164 Server.exe 521 PID 6400 set thread context of 6444 6400 Server.exe 531 PID 6516 set thread context of 6552 6516 Server.exe 534 PID 6784 set thread context of 6380 6784 Server.exe 552 PID 6884 set thread context of 6572 6884 Server.exe 553 PID 7044 set thread context of 7008 7044 Server.exe 556 PID 7024 set thread context of 6324 7024 Server.exe 573 PID 6428 set thread context of 5860 6428 Server.exe 576 PID 6584 set thread context of 2980 6584 Server.exe 579 PID 6964 set thread context of 7072 6964 Server.exe 595 PID 4332 set thread context of 5168 4332 Server.exe 598 PID 1920 set thread context of 6564 1920 Server.exe 602 PID 5908 set thread context of 6436 5908 Server.exe 625 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 31 IoCs
Processes:
Server.exeServer.exeServer.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exesvchost.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid Process 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 2940 Server.exe 3948 Server.exe 4980 Server.exe 1056 Server.exe 3716 Server.exe 1164 Server.exe 2220 Server.exe 5020 Server.exe 3516 Server.exe 1256 Server.exe 2964 Server.exe 3712 Server.exe 5056 Server.exe 3532 Server.exe 4980 Server.exe 4728 Server.exe 2988 Server.exe 3708 Server.exe 1404 Server.exe 2144 Server.exe 4068 Server.exe 2988 Server.exe 5148 Server.exe 5228 Server.exe 5480 Server.exe 5544 Server.exe 5976 Server.exe 6036 Server.exe 6120 Server.exe 4968 Server.exe 5024 Server.exe 5384 Server.exe 2748 Server.exe 5720 Server.exe 5420 Server.exe 2524 Server.exe 5500 Server.exe 6024 Server.exe 6076 Server.exe 5500 Server.exe 4936 Server.exe 2452 Server.exe 6124 Server.exe 1080 Server.exe 6332 Server.exe 6420 Server.exe 6520 Server.exe 6944 Server.exe 6996 Server.exe 7144 Server.exe 7164 Server.exe 6400 Server.exe 6516 Server.exe 6784 Server.exe 6884 Server.exe 7044 Server.exe 7024 Server.exe 6428 Server.exe 6584 Server.exe 6964 Server.exe 4332 Server.exe 1920 Server.exe 5908 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exeServer.exeServer.exedescription pid Process procid_target PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 4752 wrote to memory of 876 4752 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 85 PID 876 wrote to memory of 3252 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 87 PID 876 wrote to memory of 3252 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 87 PID 876 wrote to memory of 3252 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 87 PID 876 wrote to memory of 2516 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 89 PID 876 wrote to memory of 2516 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 89 PID 876 wrote to memory of 2516 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 89 PID 876 wrote to memory of 4912 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 90 PID 876 wrote to memory of 4912 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 90 PID 876 wrote to memory of 4912 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 90 PID 876 wrote to memory of 2324 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 91 PID 876 wrote to memory of 2324 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 91 PID 876 wrote to memory of 2324 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 91 PID 876 wrote to memory of 1156 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 92 PID 876 wrote to memory of 1156 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 92 PID 876 wrote to memory of 1156 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 92 PID 876 wrote to memory of 2780 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 95 PID 876 wrote to memory of 2780 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 95 PID 876 wrote to memory of 2780 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 95 PID 876 wrote to memory of 2736 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 96 PID 876 wrote to memory of 2736 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 96 PID 876 wrote to memory of 2736 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 96 PID 876 wrote to memory of 1468 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 99 PID 876 wrote to memory of 1468 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 99 PID 876 wrote to memory of 1468 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 99 PID 876 wrote to memory of 1324 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 100 PID 876 wrote to memory of 1324 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 100 PID 876 wrote to memory of 2940 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 101 PID 876 wrote to memory of 2940 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 101 PID 876 wrote to memory of 2940 876 5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe 101 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2940 wrote to memory of 2432 2940 Server.exe 102 PID 2432 wrote to memory of 3828 2432 Server.exe 103 PID 2432 wrote to memory of 3828 2432 Server.exe 103 PID 2432 wrote to memory of 3828 2432 Server.exe 103 PID 2432 wrote to memory of 3828 2432 Server.exe 103 PID 2432 wrote to memory of 2372 2432 Server.exe 104 PID 2432 wrote to memory of 2372 2432 Server.exe 104 PID 2432 wrote to memory of 2372 2432 Server.exe 104 PID 2432 wrote to memory of 4612 2432 Server.exe 105 PID 2432 wrote to memory of 4612 2432 Server.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\5352d2f8ae61a3d1e25915d0bf9ae0f3_JaffaCakes118.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1324
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\windows\Server.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3828 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1056 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2140
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2220 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2868
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3964
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3040
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1164 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3008
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3516 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Executes dropped EXE
PID:1880
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3004
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5068
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1568
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4728 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3424
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3708 -
C:\Windows\SysWOW64\windows\Server.exe15⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:548
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Windows\SysWOW64\windows\Server.exe17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2312
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5148 -
C:\Windows\SysWOW64\windows\Server.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:5220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1652
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1404 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Executes dropped EXE
PID:100
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4776
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:100
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5228 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5412
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5544 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5604 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5944
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6120 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3876
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5384 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5668
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5480 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5920
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6036 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Executes dropped EXE
PID:6060
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5976 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Checks computer location settings
- Executes dropped EXE
PID:6004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5308
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5664
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Checks computer location settings
- Modifies registry class
PID:3368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5608
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5420 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5524
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6076 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵PID:1388
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5024 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Executes dropped EXE
PID:3868
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5720 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6136
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5500 -
C:\Windows\SysWOW64\windows\Server.exe9⤵PID:4308
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵PID:5572
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6024 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5876
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4936 -
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1184
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1080 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Checks computer location settings
- Drops file in System32 directory
PID:6064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6412
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6520 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:6544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6968
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7164 -
C:\Windows\SysWOW64\windows\Server.exe15⤵PID:5152
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5500 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:5468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1388
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:5392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6304
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6332 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6364 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6912
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6944 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
PID:7012 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:7116
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6348
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6420 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6924
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6996 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵PID:7052
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7144 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6340
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6516 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:6552 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6796
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7044 -
C:\Windows\SysWOW64\windows\Server.exe11⤵
- Checks computer location settings
- Modifies registry class
PID:7008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1444
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6584 -
C:\Windows\SysWOW64\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:2980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:7004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:832
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1920 -
C:\Windows\SysWOW64\windows\Server.exe15⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:7024
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"16⤵PID:6396
-
C:\Windows\SysWOW64\windows\Server.exe17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:7096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:7128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:7072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:6572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:7124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4944
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"18⤵PID:6396
-
C:\Windows\SysWOW64\windows\Server.exe19⤵PID:4784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6400 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Modifies registry class
PID:6444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6664
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6884 -
C:\Windows\SysWOW64\windows\Server.exe9⤵PID:6572
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6784 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5532
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7024 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7060
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6964 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:7072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1228
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5908 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:6436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:7008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:7028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:7088
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"14⤵PID:5900
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe15⤵
- Drops file in System32 directory
PID:5816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:7048
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6428 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:5860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6064
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
PID:5168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2472
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵PID:7104
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:6468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6452
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵PID:6204
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:6428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5860
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"8⤵PID:6536
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe9⤵PID:7132
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵PID:7136
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Modifies registry class
PID:3060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7108
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"8⤵PID:7372
-
C:\Windows\SysWOW64\windows\Server.exe9⤵
- Drops file in System32 directory
PID:7428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7492
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"6⤵PID:7288
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:7312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7500
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2812
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3948 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:644
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Windows\SysWOW64\windows\Server.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:3280
-
-
C:\Users\Admin\AppData\Roaming\windows\Server.exe"C:\Users\Admin\AppData\Roaming\windows\Server.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3716 -
C:\Users\Admin\AppData\Roaming\windows\Server.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:5052
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\system32\windows\Server.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5020 -
C:\Windows\SysWOW64\windows\Server.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:2492
-
-
C:\Windows\SysWOW64\windows\Server.exe"C:\Windows\SysWOW64\windows\Server.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5056 -
C:\Windows\SysWOW64\windows\Server.exe14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4524 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:4964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5651c77f67dfeb3aa6be44939a4e03f43
SHA199cf486e4df61ec9cacc5300d834bc7c163519a4
SHA256e29c5a8a737c184f9d0f5a0ff09213bee4c296d59c37d733be4dd5f762dd9b88
SHA512e358afa0e1afe1162dc35a5bfb3f600ee2a02709ce20dcfaa2b7b147f98acfb40a9b134c29ffae83686385ebc7cb0e1fff28f033a7f60a5199b6c540469a441f
-
Filesize
47KB
MD55352d2f8ae61a3d1e25915d0bf9ae0f3
SHA1bb3645d3ab000883698684bb0069151e25cfec21
SHA256636b5de6c26209dffb13c6ae0cb3f8cce92b3a734a7f4a0f64eb71236a323ccf
SHA512b6bfe4e79047b4bc57f6c4acf3b2c2ef916c286b24119414b09f3dbc7d4e81ffd0a69ab176a6d2a3524a63faee316eac093c60a6c4ca1225723eb2e3cd7b89ab