xtremerat | 149ce45bff7c375cd730b676804c3d25b9c37c4b0f4011a04837a0f0d62f8d43

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
Size

118KB
MD5

baa4577807099d5ef70c602515058c68
SHA1

a54569a382890354c833c47ccc211636e3724882
SHA256

149ce45bff7c375cd730b676804c3d25b9c37c4b0f4011a04837a0f0d62f8d43
SHA512

098f826edfb37a5b7ffc9d0010d687f099265ea287de315a5e9a41dff36d9a597550d04042af4991a84efae9c8bc9eb208255d8065bab63e0401c9b003a08abb
SSDEEP

1536:jF1Exu/SqzvEkjRHGaF1v50Aa1rteaVxR76CT13j8E1cQ1CwI510ZaNzizO9Na1v:jFexuznjTzs1BvZx3j/P5S6Za8zIlG

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2820-27-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2884-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1636-64-0x0000000003570000-0x00000000035C9000-memory.dmp	family_xtremerat
behavioral1/memory/2820-948-0x0000000002D30000-0x0000000002D89000-memory.dmp	family_xtremerat
behavioral1/memory/2820-1261-0x0000000002D30000-0x0000000002D89000-memory.dmp	family_xtremerat
behavioral1/memory/2820-1262-0x0000000002D90000-0x0000000002DE9000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe restart"	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe restart"	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{32H6DBA3-1FJU-S810-8543-7Y8T6IARE2A6}	ctfmon.exe

Executes dropped EXE 64 IoCs

pid	Process
2948	ctfmon.exe
1636	ctfmon.exe
1720	ctfmon.exe
656	ctfmon.exe
2832	ctfmon.exe
2232	ctfmon.exe
2284	ctfmon.exe
1912	ctfmon.exe
2348	ctfmon.exe
1612	ctfmon.exe
1952	ctfmon.exe
2364	ctfmon.exe
2212	ctfmon.exe
2740	ctfmon.exe
2572	ctfmon.exe
2544	ctfmon.exe
1916	ctfmon.exe
2776	ctfmon.exe
2204	ctfmon.exe
1052	ctfmon.exe
1876	ctfmon.exe
336	ctfmon.exe
324	ctfmon.exe
2100	ctfmon.exe
1704	ctfmon.exe
2688	ctfmon.exe
2844	ctfmon.exe
2212	ctfmon.exe
1744	ctfmon.exe
2032	ctfmon.exe
1636	ctfmon.exe
2472	ctfmon.exe
2508	ctfmon.exe
2632	ctfmon.exe
2664	ctfmon.exe
2952	ctfmon.exe
2100	ctfmon.exe
2596	ctfmon.exe
1060	ctfmon.exe
2408	ctfmon.exe
1628	ctfmon.exe
1712	ctfmon.exe
2028	ctfmon.exe
1672	ctfmon.exe
656	ctfmon.exe
2684	ctfmon.exe
2240	ctfmon.exe
2888	ctfmon.exe
2824	ctfmon.exe
2472	ctfmon.exe
2572	ctfmon.exe
2316	ctfmon.exe
856	ctfmon.exe
2344	ctfmon.exe
316	ctfmon.exe
3096	ctfmon.exe
3132	ctfmon.exe
3188	ctfmon.exe
3236	ctfmon.exe
3284	ctfmon.exe
3528	ctfmon.exe
3576	ctfmon.exe
3604	ctfmon.exe
3708	ctfmon.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
1636	ctfmon.exe
1636	ctfmon.exe
656	ctfmon.exe
656	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
1912	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2028	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
2684	ctfmon.exe
2684	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
856	ctfmon.exe
2344	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
3604	ctfmon.exe
3604	ctfmon.exe
3708	ctfmon.exe
3708	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
1580	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
3584	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
3660	ctfmon.exe
3296	ctfmon.exe
3992	ctfmon.exe
3992	ctfmon.exe
1128	ctfmon.exe
1128	ctfmon.exe
4212	ctfmon.exe
4304	ctfmon.exe
4616	ctfmon.exe
4616	ctfmon.exe
4708	ctfmon.exe
4708	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
4992	ctfmon.exe
5100	ctfmon.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-13-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2820-27-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2884-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2820-891-0x0000000002D30000-0x0000000002D89000-memory.dmp	upx
behavioral1/memory/2820-948-0x0000000002D30000-0x0000000002D89000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ctfmon = "C:\\Windows\\system32\\InstallDir\\ctfmon.exe"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\ctfmon.exe"	ctfmon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SysWOW64\InstallDir\ctfmon.exe	ctfmon.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2948 set thread context of 1636	2948	ctfmon.exe	42
PID 1720 set thread context of 656	1720	ctfmon.exe	52
PID 2832 set thread context of 2232	2832	ctfmon.exe	62
PID 2284 set thread context of 1912	2284	ctfmon.exe	65
PID 2348 set thread context of 1952	2348	ctfmon.exe	76
PID 1612 set thread context of 2364	1612	ctfmon.exe	78
PID 2212 set thread context of 2740	2212	ctfmon.exe	95
PID 2572 set thread context of 1916	2572	ctfmon.exe	99
PID 2544 set thread context of 2776	2544	ctfmon.exe	100
PID 2204 set thread context of 1052	2204	ctfmon.exe	116
PID 1876 set thread context of 336	1876	ctfmon.exe	120
PID 324 set thread context of 2100	324	ctfmon.exe	124
PID 1704 set thread context of 2688	1704	ctfmon.exe	146
PID 2844 set thread context of 2212	2844	ctfmon.exe	149
PID 1744 set thread context of 1636	1744	ctfmon.exe	154
PID 2032 set thread context of 2472	2032	ctfmon.exe	157
PID 2508 set thread context of 2664	2508	ctfmon.exe	186
PID 2632 set thread context of 2952	2632	ctfmon.exe	188
PID 2100 set thread context of 2596	2100	ctfmon.exe	193
PID 1060 set thread context of 2408	1060	ctfmon.exe	196
PID 1628 set thread context of 2028	1628	ctfmon.exe	214
PID 1712 set thread context of 1672	1712	ctfmon.exe	215
PID 656 set thread context of 2684	656	ctfmon.exe	225
PID 2240 set thread context of 2888	2240	ctfmon.exe	228
PID 2824 set thread context of 2472	2824	ctfmon.exe	244
PID 2572 set thread context of 856	2572	ctfmon.exe	249
PID 2316 set thread context of 2344	2316	ctfmon.exe	250
PID 316 set thread context of 3132	316	ctfmon.exe	269
PID 3096 set thread context of 3236	3096	ctfmon.exe	272
PID 3188 set thread context of 3284	3188	ctfmon.exe	273
PID 3528 set thread context of 3604	3528	ctfmon.exe	291
PID 3576 set thread context of 3708	3576	ctfmon.exe	293
PID 3944 set thread context of 3992	3944	ctfmon.exe	310
PID 4088 set thread context of 1580	4088	ctfmon.exe	313
PID 3128 set thread context of 3172	3128	ctfmon.exe	316
PID 3132 set thread context of 3584	3132	ctfmon.exe	335
PID 3672 set thread context of 3736	3672	ctfmon.exe	339
PID 3704 set thread context of 3940	3704	ctfmon.exe	343
PID 3092 set thread context of 2824	3092	ctfmon.exe	363
PID 3256 set thread context of 3564	3256	ctfmon.exe	371
PID 3992 set thread context of 3524	3992	ctfmon.exe	372
PID 3716 set thread context of 1056	3716	ctfmon.exe	375
PID 1212 set thread context of 3744	1212	ctfmon.exe	391
PID 3544 set thread context of 3296	3544	ctfmon.exe	395
PID 3676 set thread context of 3992	3676	ctfmon.exe	398
PID 3964 set thread context of 3660	3964	ctfmon.exe	415
PID 3776 set thread context of 3868	3776	ctfmon.exe	417
PID 2188 set thread context of 3296	2188	ctfmon.exe	420
PID 1580 set thread context of 3992	1580	ctfmon.exe	437
PID 3084 set thread context of 1128	3084	ctfmon.exe	440
PID 4148 set thread context of 4212	4148	ctfmon.exe	458
PID 4176 set thread context of 4304	4176	ctfmon.exe	460
PID 4536 set thread context of 4616	4536	ctfmon.exe	478
PID 4584 set thread context of 4708	4584	ctfmon.exe	480
PID 4928 set thread context of 4992	4928	ctfmon.exe	498
PID 4980 set thread context of 5100	4980	ctfmon.exe	500
PID 3672 set thread context of 4204	3672	ctfmon.exe	503
PID 4628 set thread context of 4728	4628	ctfmon.exe	527
PID 4680 set thread context of 4920	4680	ctfmon.exe	529
PID 5000 set thread context of 5052	5000	ctfmon.exe	534
PID 4524 set thread context of 4672	4524	ctfmon.exe	556
PID 5092 set thread context of 4392	5092	ctfmon.exe	557
PID 4964 set thread context of 5008	4964	ctfmon.exe	562

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
2948	ctfmon.exe
1720	ctfmon.exe
2832	ctfmon.exe
2284	ctfmon.exe
2348	ctfmon.exe
1612	ctfmon.exe
2212	ctfmon.exe
2572	ctfmon.exe
2544	ctfmon.exe
2204	ctfmon.exe
1876	ctfmon.exe
324	ctfmon.exe
1704	ctfmon.exe
2844	ctfmon.exe
1744	ctfmon.exe
2032	ctfmon.exe
2508	ctfmon.exe
2632	ctfmon.exe
2100	ctfmon.exe
1060	ctfmon.exe
1628	ctfmon.exe
1712	ctfmon.exe
656	ctfmon.exe
2240	ctfmon.exe
2824	ctfmon.exe
2572	ctfmon.exe
2316	ctfmon.exe
316	ctfmon.exe
3096	ctfmon.exe
3188	ctfmon.exe
3528	ctfmon.exe
3576	ctfmon.exe
3944	ctfmon.exe
4088	ctfmon.exe
3128	ctfmon.exe
3132	ctfmon.exe
3672	ctfmon.exe
3704	ctfmon.exe
3092	ctfmon.exe
3256	ctfmon.exe
3992	ctfmon.exe
3716	ctfmon.exe
1212	ctfmon.exe
3544	ctfmon.exe
3676	ctfmon.exe
3964	ctfmon.exe
3776	ctfmon.exe
2188	ctfmon.exe
1580	ctfmon.exe
3084	ctfmon.exe
4148	ctfmon.exe
4176	ctfmon.exe
4536	ctfmon.exe
4584	ctfmon.exe
4928	ctfmon.exe
4980	ctfmon.exe
3672	ctfmon.exe
4628	ctfmon.exe
4680	ctfmon.exe
5000	ctfmon.exe
4524	ctfmon.exe
5092	ctfmon.exe
4964	ctfmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2884	2672	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	31
PID 2884 wrote to memory of 2820	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2820	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2820	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2820	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2820	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2712	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2712	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2712	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2712	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2712	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	33
PID 2884 wrote to memory of 2692	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2692	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2692	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2692	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2692	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2584	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2584	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2584	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2584	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2584	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	35
PID 2884 wrote to memory of 2532	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2532	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2532	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2532	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2532	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	36
PID 2884 wrote to memory of 2548	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2548	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2548	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2548	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2548	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	37
PID 2884 wrote to memory of 2580	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2580	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2580	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2580	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2580	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	38
PID 2884 wrote to memory of 2604	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2604	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2604	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2604	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	39
PID 2884 wrote to memory of 2604	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	39
PID 2884 wrote to memory of 1192	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	40
PID 2884 wrote to memory of 1192	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	40
PID 2884 wrote to memory of 1192	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	40
PID 2884 wrote to memory of 1192	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	40
PID 2884 wrote to memory of 2948	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	41
PID 2884 wrote to memory of 2948	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	41
PID 2884 wrote to memory of 2948	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	41
PID 2884 wrote to memory of 2948	2884	baa4577807099d5ef70c602515058c68_JaffaCakes118.exe	41
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42
PID 2948 wrote to memory of 1636	2948	ctfmon.exe	42

C:\Users\Admin\AppData\Local\Temp\baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\baa4577807099d5ef70c602515058c68_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\baa4577807099d5ef70c602515058c68_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\baa4577807099d5ef70c602515058c68_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2820
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2284
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1548
      - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2348
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:576
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:324
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2136
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2544
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        
        PID:2776
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:324
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2516
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2588
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2032
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:348
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Executes dropped EXE
        
        PID:1672
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2240
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        17⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3540
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2316
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:924
      - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3592
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3188
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3128
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3380
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3704
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3336
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        
        PID:3524
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3716
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3996
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3964
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        12⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4148
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        15⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        24⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5564
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3676
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3116
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3588
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3776
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2188
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1212
      - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        12⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4980
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        15⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3672
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5000
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4680
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        12⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5580
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4884
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4628
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Adds Run key to start application
        
        PID:4968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5556
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5136
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      PID:5616
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5928
      - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        6⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6104
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      Drops file in System32 directory
      PID:6128
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4756
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\system32\InstallDir\ctfmon.exe"
      4⤵
      PID:5700
    - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        5⤵
        
        PID:5972
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2692
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2584
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2532
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2548
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
    "C:\Windows\system32\InstallDir\ctfmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\InstallDir\ctfmon.exe
      "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2928
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2020
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1864
    - - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1720
      - C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\ctfmon.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\system32\InstallDir\ctfmon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\InstallDir\ctfmon.exe
        
        "C:\Windows\SysWOW64\InstallDir\ctfmon.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\88603cb2913a7df3fbd16b5f958e6447_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\uDnxVfoB.cfg

Filesize
1KB

MD5
a78ff8e299c0b912fec1256945f3a542

SHA1
1cdd0ebbec47dc477d9553b59b7fa256ba723423

SHA256
8478d000b28846e4b4e58fdb8e98cdef8789d51affffb1d9a82a985e0f5b971b

SHA512
2c8cd1a96f4193a2fba2d267b6f560983d3636886d2083f91d2e3997426fcb4bec0dce1863d4165cc41f4b11becf3ae5ad985a00fa4f05e39eb009d65cc1d022

Download Submit
C:\Windows\SysWOW64\InstallDir\ctfmon.exe

Filesize
118KB

MD5
baa4577807099d5ef70c602515058c68

SHA1
a54569a382890354c833c47ccc211636e3724882

SHA256
149ce45bff7c375cd730b676804c3d25b9c37c4b0f4011a04837a0f0d62f8d43

SHA512
098f826edfb37a5b7ffc9d0010d687f099265ea287de315a5e9a41dff36d9a597550d04042af4991a84efae9c8bc9eb208255d8065bab63e0401c9b003a08abb

Download Submit
memory/316-626-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/324-323-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/656-535-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-474-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1212-931-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1580-1036-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1580-1058-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1612-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1636-64-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/1636-63-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/1704-347-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1712-512-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1720-69-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/1720-89-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1720-70-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/1720-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1744-388-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1876-299-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2028-519-0x0000000003620000-0x0000000003679000-memory.dmp

Filesize
356KB

Download
memory/2032-402-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2100-460-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2204-278-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2212-221-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2240-556-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2284-127-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2284-128-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/2284-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2316-621-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2348-157-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2348-182-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2508-409-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2544-259-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2544-227-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-599-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-215-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2632-438-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-5-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-3-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2672-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-4-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2820-304-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-742-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-27-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2820-1261-0x0000000002D30000-0x0000000002D89000-memory.dmp

Filesize
356KB

Download
memory/2820-695-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-124-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-1263-0x0000000002D90000-0x0000000002DE9000-memory.dmp

Filesize
356KB

Download
memory/2820-370-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-765-0x0000000002EB0000-0x0000000002F09000-memory.dmp

Filesize
356KB

Download
memory/2820-822-0x0000000002D30000-0x0000000002D89000-memory.dmp

Filesize
356KB

Download
memory/2820-755-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-910-0x0000000002BE0000-0x0000000002C39000-memory.dmp

Filesize
356KB

Download
memory/2820-225-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-948-0x0000000002D30000-0x0000000002D89000-memory.dmp

Filesize
356KB

Download
memory/2820-156-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-1006-0x0000000002F50000-0x0000000002FA9000-memory.dmp

Filesize
356KB

Download
memory/2820-1124-0x0000000002EB0000-0x0000000002F09000-memory.dmp

Filesize
356KB

Download
memory/2820-721-0x0000000002740000-0x0000000002799000-memory.dmp

Filesize
356KB

Download
memory/2820-583-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-155-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-891-0x0000000002D30000-0x0000000002D89000-memory.dmp

Filesize
356KB

Download
memory/2820-1201-0x0000000002D90000-0x0000000002DE9000-memory.dmp

Filesize
356KB

Download
memory/2820-627-0x0000000000560000-0x00000000005B9000-memory.dmp

Filesize
356KB

Download
memory/2820-1262-0x0000000002D90000-0x0000000002DE9000-memory.dmp

Filesize
356KB

Download
memory/2832-102-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2832-120-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2844-360-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2884-8-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-31-0x00000000032A0000-0x00000000032F9000-memory.dmp

Filesize
356KB

Download
memory/2884-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-16-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-15-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-13-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2884-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2948-38-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2948-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2948-37-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/2948-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3084-1047-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3084-1075-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3092-858-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3096-673-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3096-628-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3256-880-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3528-701-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3528-681-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3576-715-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3604-723-0x00000000032E0000-0x0000000003339000-memory.dmp

Filesize
356KB

Download
memory/3604-722-0x00000000032E0000-0x0000000003339000-memory.dmp

Filesize
356KB

Download
memory/3660-1031-0x00000000036A0000-0x00000000036F9000-memory.dmp

Filesize
356KB

Download
memory/3672-823-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3672-810-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3672-1218-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3672-1202-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3676-969-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3776-1012-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3776-987-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3944-728-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3964-974-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3992-901-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4088-759-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4148-1100-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4176-1112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4212-1118-0x0000000003500000-0x0000000003559000-memory.dmp

Filesize
356KB

Download
memory/4524-1312-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4628-1244-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-1230-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-1258-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4980-1195-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads