Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe
-
Size
296KB
-
MD5
5bb4ce20ccbd7dbea1edbcb0a493cde4
-
SHA1
a241adc9c026615a7fe8f739170ac9689c9a12aa
-
SHA256
3fd5c605839d254e2a8d07123b923e0ddb798d15d06ebbc936288d1e14d79bda
-
SHA512
a4168f7b20a98ab96d395b8a156562c83c8383990b4e6f0844911871fd837b210ae27d6a01cca15c35b796a25eaad3b588a42823c2f1ec89d9580bf844c0f657
-
SSDEEP
3072:C5XpMOV4IlksoM2YidoXBG8kixnkOodra+QTdZKTLZrTO51Icfmz++QfRTob:YZmO/j0lPel
Malware Config
Extracted
xtremerat
sxooxs.no-ip.biz
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral2/memory/1556-5-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1556-6-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5064-13-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1556-16-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4100-23-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4100-24-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4100-99-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe -
Checks computer location settings 2 TTPs 44 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 64 IoCs
pid Process 4852 Server.exe 4100 Server.exe 2544 Server.exe 3300 Server.exe 4992 Server.exe 804 Server.exe 1684 Server.exe 2508 Server.exe 960 Server.exe 1856 Server.exe 4512 Server.exe 2100 Server.exe 1844 Server.exe 5016 Server.exe 4756 Server.exe 4132 Server.exe 2672 Server.exe 3400 Server.exe 4240 Server.exe 3444 Server.exe 1888 Server.exe 2100 Server.exe 3508 Server.exe 4768 Server.exe 2816 Server.exe 2600 Server.exe 1744 Server.exe 2504 Server.exe 3008 Server.exe 1456 Server.exe 3832 Server.exe 376 Server.exe 4496 Server.exe 1064 Server.exe 3876 Server.exe 2600 Server.exe 1396 Server.exe 4516 Server.exe 1200 Server.exe 4396 Server.exe 804 Server.exe 4496 Server.exe 1360 Server.exe 636 Server.exe 4988 Server.exe 1936 Server.exe 1960 Server.exe 1856 Server.exe 1360 Server.exe 3408 Server.exe 2780 Server.exe 3088 Server.exe 4456 Server.exe 1484 Server.exe 1932 Server.exe 232 Server.exe 1020 Server.exe 2352 Server.exe 4036 Server.exe 4560 Server.exe 2276 Server.exe 628 Server.exe 3060 Server.exe 5164 Server.exe -
resource yara_rule behavioral2/memory/1556-2-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1556-4-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1556-5-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1556-6-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-13-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1556-16-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4100-22-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4100-23-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4100-24-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4100-99-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe" Server.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ Server.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe Server.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3448 set thread context of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 4852 set thread context of 4100 4852 Server.exe 102 PID 2544 set thread context of 3300 2544 Server.exe 114 PID 4992 set thread context of 804 4992 Server.exe 117 PID 1684 set thread context of 2508 1684 Server.exe 135 PID 960 set thread context of 1856 960 Server.exe 137 PID 4512 set thread context of 2100 4512 Server.exe 141 PID 1844 set thread context of 4756 1844 Server.exe 159 PID 5016 set thread context of 4132 5016 Server.exe 160 PID 2672 set thread context of 4240 2672 Server.exe 171 PID 3400 set thread context of 3444 3400 Server.exe 172 PID 1888 set thread context of 2100 1888 Server.exe 183 PID 3508 set thread context of 4768 3508 Server.exe 185 PID 2816 set thread context of 1744 2816 Server.exe 206 PID 2600 set thread context of 2504 2600 Server.exe 208 PID 3008 set thread context of 1456 3008 Server.exe 211 PID 3832 set thread context of 376 3832 Server.exe 220 PID 4496 set thread context of 1064 4496 Server.exe 224 PID 3876 set thread context of 2600 3876 Server.exe 233 PID 1396 set thread context of 4516 1396 Server.exe 237 PID 1200 set thread context of 4396 1200 Server.exe 246 PID 804 set thread context of 4496 804 Server.exe 250 PID 1360 set thread context of 636 1360 Server.exe 266 PID 4988 set thread context of 1936 4988 Server.exe 268 PID 1960 set thread context of 1856 1960 Server.exe 286 PID 1360 set thread context of 3408 1360 Server.exe 288 PID 2780 set thread context of 3088 2780 Server.exe 291 PID 4456 set thread context of 1484 4456 Server.exe 302 PID 1932 set thread context of 232 1932 Server.exe 305 PID 1020 set thread context of 2352 1020 Server.exe 322 PID 4036 set thread context of 4560 4036 Server.exe 324 PID 2276 set thread context of 628 2276 Server.exe 328 PID 3060 set thread context of 5156 3060 Server.exe 351 PID 5164 set thread context of 5208 5164 Server.exe 353 PID 5364 set thread context of 5388 5364 Server.exe 363 PID 5456 set thread context of 5484 5456 Server.exe 366 PID 5716 set thread context of 5740 5716 Server.exe 383 PID 5752 set thread context of 5812 5752 Server.exe 386 PID 5776 set thread context of 5836 5776 Server.exe 387 PID 6084 set thread context of 6124 6084 Server.exe 405 PID 2984 set thread context of 4020 2984 Server.exe 408 PID 5356 set thread context of 5384 5356 Server.exe 424 PID 544 set thread context of 6136 544 Server.exe 438 PID 4428 set thread context of 5464 4428 Server.exe 441 PID 5512 set thread context of 5788 5512 Server.exe 452 PID 5812 set thread context of 5264 5812 Server.exe 453 PID 5524 set thread context of 5884 5524 Server.exe 466 PID 5928 set thread context of 5376 5928 Server.exe 469 PID 5696 set thread context of 5912 5696 Server.exe 485 PID 5420 set thread context of 5928 5420 Server.exe 489 PID 5400 set thread context of 5424 5400 Server.exe 492 PID 5928 set thread context of 3824 5928 Server.exe 508 PID 6148 set thread context of 6176 6148 Server.exe 512 PID 6368 set thread context of 6392 6368 Server.exe 528 PID 6452 set thread context of 6516 6452 Server.exe 533 PID 6492 set thread context of 6524 6492 Server.exe 534 PID 6756 set thread context of 6816 6756 Server.exe 550 PID 6908 set thread context of 6932 6908 Server.exe 554 PID 6940 set thread context of 6984 6940 Server.exe 556 PID 5144 set thread context of 6380 5144 Server.exe 574 PID 6332 set thread context of 6180 6332 Server.exe 576 PID 6460 set thread context of 6596 6460 Server.exe 579 PID 2516 set thread context of 692 2516 Server.exe 598 PID 3176 set thread context of 7020 3176 Server.exe 602 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 4852 Server.exe 2544 Server.exe 4992 Server.exe 1684 Server.exe 960 Server.exe 4512 Server.exe 1844 Server.exe 5016 Server.exe 2672 Server.exe 3400 Server.exe 1888 Server.exe 3508 Server.exe 2816 Server.exe 2600 Server.exe 3008 Server.exe 3832 Server.exe 4496 Server.exe 3876 Server.exe 1396 Server.exe 1200 Server.exe 804 Server.exe 1360 Server.exe 4988 Server.exe 1960 Server.exe 1360 Server.exe 2780 Server.exe 4456 Server.exe 1932 Server.exe 1020 Server.exe 4036 Server.exe 2276 Server.exe 3060 Server.exe 5164 Server.exe 5364 Server.exe 5456 Server.exe 5716 Server.exe 5752 Server.exe 5776 Server.exe 6084 Server.exe 2984 Server.exe 5356 Server.exe 544 Server.exe 4428 Server.exe 5512 Server.exe 5812 Server.exe 5524 Server.exe 5928 Server.exe 5696 Server.exe 5420 Server.exe 5400 Server.exe 5928 Server.exe 6148 Server.exe 6368 Server.exe 6452 Server.exe 6492 Server.exe 6756 Server.exe 6908 Server.exe 6940 Server.exe 5144 Server.exe 6332 Server.exe 6460 Server.exe 2516 Server.exe 3176 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 3448 wrote to memory of 1556 3448 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 84 PID 1556 wrote to memory of 5064 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 87 PID 1556 wrote to memory of 5064 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 87 PID 1556 wrote to memory of 5064 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 87 PID 1556 wrote to memory of 5064 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 87 PID 1556 wrote to memory of 1704 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 89 PID 1556 wrote to memory of 1704 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 89 PID 1556 wrote to memory of 1704 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 89 PID 1556 wrote to memory of 1604 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 90 PID 1556 wrote to memory of 1604 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 90 PID 1556 wrote to memory of 1604 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 90 PID 1556 wrote to memory of 2692 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 91 PID 1556 wrote to memory of 2692 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 91 PID 1556 wrote to memory of 2692 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 91 PID 1556 wrote to memory of 1972 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 92 PID 1556 wrote to memory of 1972 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 92 PID 1556 wrote to memory of 1972 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 92 PID 1556 wrote to memory of 2952 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 95 PID 1556 wrote to memory of 2952 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 95 PID 1556 wrote to memory of 2952 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 95 PID 1556 wrote to memory of 1620 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 98 PID 1556 wrote to memory of 1620 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 98 PID 1556 wrote to memory of 1620 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 98 PID 1556 wrote to memory of 4392 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 99 PID 1556 wrote to memory of 4392 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 99 PID 1556 wrote to memory of 4392 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 99 PID 1556 wrote to memory of 4068 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 100 PID 1556 wrote to memory of 4068 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 100 PID 1556 wrote to memory of 4852 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 101 PID 1556 wrote to memory of 4852 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 101 PID 1556 wrote to memory of 4852 1556 5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe 101 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4852 wrote to memory of 4100 4852 Server.exe 102 PID 4100 wrote to memory of 4908 4100 Server.exe 103 PID 4100 wrote to memory of 4908 4100 Server.exe 103 PID 4100 wrote to memory of 4908 4100 Server.exe 103 PID 4100 wrote to memory of 2860 4100 Server.exe 104 PID 4100 wrote to memory of 2860 4100 Server.exe 104 PID 4100 wrote to memory of 2860 4100 Server.exe 104 PID 4100 wrote to memory of 5012 4100 Server.exe 106 PID 4100 wrote to memory of 5012 4100 Server.exe 106 PID 4100 wrote to memory of 5012 4100 Server.exe 106 PID 4100 wrote to memory of 964 4100 Server.exe 107 PID 4100 wrote to memory of 964 4100 Server.exe 107 PID 4100 wrote to memory of 964 4100 Server.exe 107 PID 4100 wrote to memory of 3796 4100 Server.exe 108 PID 4100 wrote to memory of 3796 4100 Server.exe 108 PID 4100 wrote to memory of 3796 4100 Server.exe 108 PID 4100 wrote to memory of 2156 4100 Server.exe 109 PID 4100 wrote to memory of 2156 4100 Server.exe 109 PID 4100 wrote to memory of 2156 4100 Server.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5bb4ce20ccbd7dbea1edbcb0a493cde4_JaffaCakes118.exe2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2220
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1684 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4476
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4692
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4240 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3456
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3508 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2752
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe15⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3416
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4496 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4092
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe19⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:3932
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:804 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe21⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:3556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4584
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5016 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Executes dropped EXE
PID:4132
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Executes dropped EXE
PID:3444
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2672
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2612
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2600 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Executes dropped EXE
PID:2504
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3832 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:860
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3876 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:680
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1888
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4732
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:512
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2504
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Executes dropped EXE
PID:3408
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2780 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4332
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1932 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4456
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2276 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1548
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4456 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1844
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1020 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1756
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3060 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe9⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5340
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5364 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5660
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5716 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:5740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6052
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6084 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe15⤵
- Checks computer location settings
- Adds Run key to start application
PID:6124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5296
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"16⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5356 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5136
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"18⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:544 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe19⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:6136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:5148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4036 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4560 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3520
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5164 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵PID:5208
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5456 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5684
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5752 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe7⤵PID:5812
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5776 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6060
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2984 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:4020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5336
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5668
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5512 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5372
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5928 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:5376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5832
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5400 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe11⤵
- Checks computer location settings
- Adds Run key to start application
PID:5424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3024
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6148 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:6176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6444
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6492 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe15⤵PID:6524
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5812 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵PID:5264
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5524 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:5884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5464
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5696 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:5912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5364
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5928 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:3824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6336
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6368 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe11⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6724
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6756 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:6816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6896
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5420 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5808
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6452 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6824
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6940 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6296
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6460 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:6596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:400
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"10⤵PID:6464
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:5912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6768
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"12⤵PID:6884
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe13⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5816
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6908 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:6932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6256
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6332 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe7⤵PID:6180
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5144 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:6380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6836
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4840
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\SysWOW64\InstallDir\Server.exe"8⤵PID:6864
-
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:6548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6936
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
PID:7020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6176
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4068
-
-
C:\Windows\SysWOW64\InstallDir\Server.exe"C:\Windows\system32\InstallDir\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\InstallDir\Server.exeC:\Windows\SysWOW64\InstallDir\Server.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2212
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:1712
-
-
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exeC:\Users\Admin\AppData\Roaming\InstallDir\Server.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2192
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cd72580f912a18f1e42dfdfff0b48cad
SHA1e8fac5a0312478eda401aea88941566d2bf297f0
SHA25617ca79bbb83318934b4638094adf742e93509f326d5439a06a4458e8e0c132e1
SHA5129df3a81faeb9dfc2e046715ce9157ec3dfdabca298f38a9050bad780e9db9eb010f4e10d1104077cced14089f2065f8f307e48b1c95833ebab98be1af33a2356
-
Filesize
296KB
MD55bb4ce20ccbd7dbea1edbcb0a493cde4
SHA1a241adc9c026615a7fe8f739170ac9689c9a12aa
SHA2563fd5c605839d254e2a8d07123b923e0ddb798d15d06ebbc936288d1e14d79bda
SHA512a4168f7b20a98ab96d395b8a156562c83c8383990b4e6f0844911871fd837b210ae27d6a01cca15c35b796a25eaad3b588a42823c2f1ec89d9580bf844c0f657