Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe
-
Size
304KB
-
MD5
5b01a965e92be17ebd974a81eb5948ee
-
SHA1
ecd36b7eab3966aaa6b1968bedfa3a2a506fff67
-
SHA256
e2d5692458d5e9dbf491076f672ecad3b084b60bf4b2270a28470be4aac39d5d
-
SHA512
b77c2c80a9e29b940c9bbd8214a9ccc46a510c5417a05766b292bc6f5e68d874a2c0b56edbfa45da9865cc29c247d10a6f8ce00ab4cb197fe20aabc5bd675a3c
-
SSDEEP
3072:+asrPd9TheaXX+ilsBlIymvcPM6n3xVU9P8nFse6z1Pa6t:+filM0eeZU1Pl
Malware Config
Signatures
-
Detect XtremeRAT payload 9 IoCs
resource yara_rule behavioral1/memory/2684-2-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2684-4-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2684-3-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2684-5-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2684-17-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2816-26-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2816-31-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2600-38-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2600-43-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe -
Executes dropped EXE 62 IoCs
pid Process 1784 Server.exe 2816 Server.exe 2720 Server.exe 2600 Server.exe 2832 Server.exe 2900 Server.exe 2852 Server.exe 1968 Server.exe 2640 Server.exe 1644 Server.exe 1072 Server.exe 2160 Server.exe 308 Server.exe 1976 Server.exe 2560 Server.exe 2548 Server.exe 2076 Server.exe 768 Server.exe 2116 Server.exe 2712 Server.exe 2928 Server.exe 2648 Server.exe 1664 Server.exe 2896 Server.exe 1624 Server.exe 3064 Server.exe 1324 Server.exe 2320 Server.exe 1368 Server.exe 1332 Server.exe 768 Server.exe 2176 Server.exe 2824 Server.exe 2600 Server.exe 3036 Server.exe 2196 Server.exe 912 Server.exe 2496 Server.exe 1820 Server.exe 1048 Server.exe 548 Server.exe 1984 Server.exe 2764 Server.exe 2684 Server.exe 3064 Server.exe 1520 Server.exe 2116 Server.exe 768 Server.exe 3136 Server.exe 3152 Server.exe 3272 Server.exe 3292 Server.exe 3404 Server.exe 3420 Server.exe 3536 Server.exe 3552 Server.exe 3672 Server.exe 3688 Server.exe 3808 Server.exe 3824 Server.exe 3936 Server.exe 3952 Server.exe -
Loads dropped DLL 3 IoCs
pid Process 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 1784 Server.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 304 set thread context of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 set thread context of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 1784 set thread context of 2816 1784 Server.exe 41 PID 1784 set thread context of 0 1784 Server.exe PID 2720 set thread context of 2600 2720 Server.exe 51 PID 2720 set thread context of 0 2720 Server.exe PID 2832 set thread context of 2900 2832 Server.exe 61 PID 2832 set thread context of 0 2832 Server.exe PID 2852 set thread context of 1968 2852 Server.exe 71 PID 2852 set thread context of 0 2852 Server.exe PID 2640 set thread context of 1644 2640 Server.exe 81 PID 2640 set thread context of 0 2640 Server.exe PID 1072 set thread context of 2160 1072 Server.exe 91 PID 1072 set thread context of 0 1072 Server.exe PID 308 set thread context of 1976 308 Server.exe 101 PID 308 set thread context of 0 308 Server.exe PID 2560 set thread context of 2548 2560 Server.exe 111 PID 2560 set thread context of 0 2560 Server.exe PID 2076 set thread context of 768 2076 Server.exe 121 PID 2076 set thread context of 0 2076 Server.exe PID 2116 set thread context of 2712 2116 Server.exe 131 PID 2116 set thread context of 0 2116 Server.exe PID 2928 set thread context of 2648 2928 Server.exe 141 PID 2928 set thread context of 0 2928 Server.exe PID 1664 set thread context of 2896 1664 Server.exe 151 PID 1664 set thread context of 0 1664 Server.exe PID 1624 set thread context of 3064 1624 Server.exe 161 PID 1624 set thread context of 0 1624 Server.exe PID 1324 set thread context of 2320 1324 Server.exe 171 PID 1324 set thread context of 0 1324 Server.exe PID 1368 set thread context of 1332 1368 Server.exe 181 PID 1368 set thread context of 0 1368 Server.exe PID 768 set thread context of 2176 768 Server.exe 191 PID 768 set thread context of 0 768 Server.exe PID 2824 set thread context of 2600 2824 Server.exe 201 PID 2824 set thread context of 0 2824 Server.exe PID 3036 set thread context of 2196 3036 Server.exe 211 PID 3036 set thread context of 0 3036 Server.exe PID 912 set thread context of 2496 912 Server.exe 221 PID 912 set thread context of 0 912 Server.exe PID 1820 set thread context of 1048 1820 Server.exe 231 PID 1820 set thread context of 0 1820 Server.exe PID 548 set thread context of 1984 548 Server.exe 241 PID 548 set thread context of 0 548 Server.exe PID 2764 set thread context of 2684 2764 Server.exe 251 PID 2764 set thread context of 0 2764 Server.exe PID 3064 set thread context of 1520 3064 Server.exe 261 PID 3064 set thread context of 0 3064 Server.exe PID 2116 set thread context of 768 2116 Server.exe 271 PID 2116 set thread context of 0 2116 Server.exe PID 3136 set thread context of 3152 3136 Server.exe 281 PID 3136 set thread context of 0 3136 Server.exe PID 3272 set thread context of 3292 3272 Server.exe 291 PID 3272 set thread context of 0 3272 Server.exe PID 3404 set thread context of 3420 3404 Server.exe 301 PID 3404 set thread context of 0 3404 Server.exe PID 3536 set thread context of 3552 3536 Server.exe 311 PID 3536 set thread context of 0 3536 Server.exe PID 3672 set thread context of 3688 3672 Server.exe 321 PID 3672 set thread context of 0 3672 Server.exe PID 3808 set thread context of 3824 3808 Server.exe 331 PID 3808 set thread context of 0 3808 Server.exe PID 3936 set thread context of 3952 3936 Server.exe 341 PID 3936 set thread context of 0 3936 Server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe File created C:\Windows\InstallDir\Server.exe 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 1784 Server.exe 2720 Server.exe 2832 Server.exe 2852 Server.exe 2640 Server.exe 1072 Server.exe 308 Server.exe 2560 Server.exe 2076 Server.exe 2116 Server.exe 2928 Server.exe 1664 Server.exe 1624 Server.exe 1324 Server.exe 1368 Server.exe 768 Server.exe 2824 Server.exe 3036 Server.exe 912 Server.exe 1820 Server.exe 548 Server.exe 2764 Server.exe 3064 Server.exe 2116 Server.exe 3136 Server.exe 3272 Server.exe 3404 Server.exe 3536 Server.exe 3672 Server.exe 3808 Server.exe 3936 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 2684 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 30 PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 304 wrote to memory of 0 304 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe PID 2684 wrote to memory of 2144 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2144 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2144 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2144 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2144 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 31 PID 2684 wrote to memory of 1796 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 32 PID 2684 wrote to memory of 1796 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 32 PID 2684 wrote to memory of 1796 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 32 PID 2684 wrote to memory of 1796 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 32 PID 2684 wrote to memory of 1796 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 32 PID 2684 wrote to memory of 2356 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2356 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2356 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2356 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2356 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2416 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2416 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2416 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2416 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2416 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2424 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 35 PID 2684 wrote to memory of 2424 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 35 PID 2684 wrote to memory of 2424 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 35 PID 2684 wrote to memory of 2424 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 35 PID 2684 wrote to memory of 2424 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 35 PID 2684 wrote to memory of 1936 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 37 PID 2684 wrote to memory of 1936 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 37 PID 2684 wrote to memory of 1936 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 37 PID 2684 wrote to memory of 1936 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 37 PID 2684 wrote to memory of 1936 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 37 PID 2684 wrote to memory of 2696 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2696 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2696 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2696 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2696 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2384 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 39 PID 2684 wrote to memory of 2384 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 39 PID 2684 wrote to memory of 2384 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 39 PID 2684 wrote to memory of 2384 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 39 PID 2684 wrote to memory of 1784 2684 5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b01a965e92be17ebd974a81eb5948ee_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2384
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2816 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2780
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2600 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:464
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2832 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2900 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2432
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1120
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1092
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1968 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3068
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2640 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2096
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1980
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2160 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1528
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:308 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1088
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:292
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2560 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2548 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1744
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2076 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"20⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:768 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2884
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"22⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2712 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2724
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2928 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"24⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2648 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2520
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2896 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2852
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"28⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3064 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1644
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1324 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2320 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1976
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1368 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"32⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1332 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:316
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:264
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"34⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2176 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2960
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2792
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"36⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2600 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2128
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"38⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2196 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2992
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"40⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:780
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"42⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1048 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1188
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:548 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"44⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1984 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:640
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"46⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2684 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:2648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:2580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:344
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"48⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1520 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:1328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2536
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"50⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:768 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:1784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3124
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3136 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"52⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3152 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3260
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"54⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3292 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3392
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3404 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"56⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3420 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3524
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"58⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3552 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3660
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3672 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"60⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3792
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"62⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3824 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3924
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"64⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3952 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:3984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:3996
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"65⤵PID:4056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c4f12a53f76c2df457674905f50c7eb2
SHA1aaaec3e48f33c94ff3b2b7f813300a57cb0c5e5d
SHA25673de6cda1f7191aefd5ff17955ee6d90bffcd2ac7325ff36446f981f6234e2ee
SHA5126aef952d00ae074e3cadb96cd4482f2f69130ada533915f0daa462dda41f216b715d1eeecffd21be3a30561942b53ce3ee7d59fdb141ef021e1d99b4e9094903
-
Filesize
304KB
MD55b01a965e92be17ebd974a81eb5948ee
SHA1ecd36b7eab3966aaa6b1968bedfa3a2a506fff67
SHA256e2d5692458d5e9dbf491076f672ecad3b084b60bf4b2270a28470be4aac39d5d
SHA512b77c2c80a9e29b940c9bbd8214a9ccc46a510c5417a05766b292bc6f5e68d874a2c0b56edbfa45da9865cc29c247d10a6f8ce00ab4cb197fe20aabc5bd675a3c