28300a26a2bf7ec64421f75d4cd245a868685e46cfd21dbf421a358990a91df2

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Size

637KB
MD5

be0bb427afb72750a32a7f79b4ba181f
SHA1

e3554be8302b82a84a8170f83b86ef53400b80a0
SHA256

28300a26a2bf7ec64421f75d4cd245a868685e46cfd21dbf421a358990a91df2
SHA512

9079809149bba7cead6623808a38d906ec221f59061194f7b308fef32e01f13dd8a5e3b4f521c5a5557e7dd3dbb61d372516c473b67214b7c527d756ac1dab16
SSDEEP

12288:tFlcBrgLSp65MWy3uR88z4yBU/3qO5yx1rGrAt5OCHjgC0:WBrgLSp2MWy3ui8fBa+KTGjm

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 50 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

Executes dropped EXE 46 IoCs

pid	Process
2920	Server.exe
2716	Server.exe
2656	Server.exe
2632	Server.exe
1604	Server.exe
1520	Server.exe
1784	Server.exe
1596	Server.exe
1216	Server.exe
1988	Server.exe
2448	Server.exe
2936	Server.exe
1512	Server.exe
2172	Server.exe
1444	Server.exe
1452	Server.exe
344	Server.exe
2560	Server.exe
1500	Server.exe
2072	Server.exe
2784	Server.exe
2800	Server.exe
2764	Server.exe
2984	Server.exe
1048	Server.exe
1432	Server.exe
1096	Server.exe
1848	Server.exe
1892	Server.exe
1584	Server.exe
980	Server.exe
2488	Server.exe
1668	Server.exe
2932	Server.exe
2396	Server.exe
2928	Server.exe
1244	Server.exe
2924	Server.exe
2240	Server.exe
944	Server.exe
2808	Server.exe
2784	Server.exe
2600	Server.exe
2992	Server.exe
1396	Server.exe
1640	Server.exe

Loads dropped DLL 24 IoCs

pid	Process
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-3-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-5-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-1-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-10-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-11-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-12-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/3060-17-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-18-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2244-19-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2716-35-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2716-36-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2716-34-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2716-38-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2716-39-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2632-54-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2632-52-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2632-53-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2632-57-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2632-58-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1520-76-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1520-77-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe"	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2920 set thread context of 2716	2920	Server.exe	38
PID 2656 set thread context of 2632	2656	Server.exe	42
PID 1604 set thread context of 1520	1604	Server.exe	46
PID 1784 set thread context of 1596	1784	Server.exe	50
PID 1216 set thread context of 1988	1216	Server.exe	54
PID 2448 set thread context of 2936	2448	Server.exe	58
PID 1512 set thread context of 2172	1512	Server.exe	62
PID 1444 set thread context of 1452	1444	Server.exe	66
PID 344 set thread context of 2560	344	Server.exe	70
PID 1500 set thread context of 2072	1500	Server.exe	74
PID 2784 set thread context of 2800	2784	Server.exe	78
PID 2764 set thread context of 2984	2764	Server.exe	82
PID 1048 set thread context of 1432	1048	Server.exe	86
PID 1096 set thread context of 1848	1096	Server.exe	90
PID 1892 set thread context of 1584	1892	Server.exe	94
PID 980 set thread context of 2488	980	Server.exe	98
PID 1668 set thread context of 2932	1668	Server.exe	102
PID 2396 set thread context of 2928	2396	Server.exe	106
PID 1244 set thread context of 2924	1244	Server.exe	110
PID 2240 set thread context of 944	2240	Server.exe	114
PID 2808 set thread context of 2784	2808	Server.exe	118
PID 2600 set thread context of 2992	2600	Server.exe	122
PID 1396 set thread context of 1640	1396	Server.exe	126

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	Server.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
2920	Server.exe
2656	Server.exe
1604	Server.exe
1784	Server.exe
1216	Server.exe
2448	Server.exe
1512	Server.exe
1444	Server.exe
344	Server.exe
1500	Server.exe
2784	Server.exe
2764	Server.exe
1048	Server.exe
1096	Server.exe
1892	Server.exe
980	Server.exe
1668	Server.exe
2396	Server.exe
1244	Server.exe
2240	Server.exe
2808	Server.exe
2600	Server.exe
1396	Server.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
2716	Server.exe
2632	Server.exe
1520	Server.exe
1596	Server.exe
1988	Server.exe
2936	Server.exe
2172	Server.exe
1452	Server.exe
2560	Server.exe
2072	Server.exe
2800	Server.exe
2984	Server.exe
1432	Server.exe
1848	Server.exe
1584	Server.exe
2488	Server.exe
2932	Server.exe
2928	Server.exe
2924	Server.exe
944	Server.exe
2784	Server.exe
2992	Server.exe
1640	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2112	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2884	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2244	2680	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	32
PID 2244 wrote to memory of 3060	2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	34
PID 2244 wrote to memory of 3060	2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	34
PID 2244 wrote to memory of 3060	2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	34
PID 2244 wrote to memory of 3060	2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	34
PID 2244 wrote to memory of 3060	2244	be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe	34
PID 3060 wrote to memory of 2920	3060	svchost.exe	35
PID 3060 wrote to memory of 2920	3060	svchost.exe	35
PID 3060 wrote to memory of 2920	3060	svchost.exe	35
PID 3060 wrote to memory of 2920	3060	svchost.exe	35
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2268	2920	Server.exe	36
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2912	2920	Server.exe	37
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 2920 wrote to memory of 2716	2920	Server.exe	38
PID 3060 wrote to memory of 2656	3060	svchost.exe	39
PID 3060 wrote to memory of 2656	3060	svchost.exe	39
PID 3060 wrote to memory of 2656	3060	svchost.exe	39
PID 3060 wrote to memory of 2656	3060	svchost.exe	39
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40
PID 2656 wrote to memory of 2596	2656	Server.exe	40

C:\Users\Admin\AppData\Local\Temp\be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\be0bb427afb72750a32a7f79b4ba181f_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2268
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2912
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1604
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1864
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1784
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1724
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2356
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2968
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1512
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1444
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2124
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:592
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:344
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2200
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:800
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2212
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2076
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2784
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2752
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2916
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2800
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2764
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2416
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2656
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1048
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1064
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2428
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1432
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2140
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1892
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:696
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1588
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2456
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1272
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:112
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1244
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2440
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2240
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2108
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2116
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2820
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2652
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2676
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2424
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:236
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
fe01ebfd175b5ba093d77b7bf203eeda

SHA1
41cc99cd4db47cd477d76c55222742be230a9084

SHA256
8bfb6021fddba1790b1e2654dcf0c21932fc321c6dae655d74a6343973e0c9ae

SHA512
84028ee55e0eba2729ee27cd3bfd386fc0a003292fdada03eec401533c37d184598fd54a706360f0f0caba5870603a7a5c02241e3f987ba61e184aa2b4c55dbd

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
8c294391e9ad6fd23848f55f0a642501

SHA1
afced643ac72845cc1ca444097fcbd73764a803f

SHA256
5d9e354a9ba5874e279da700be8c17ee10d316239884e2b417f0af4bd4c9bf6f

SHA512
b4ee43e3a8c8146db24b5c3c5a507876e7e8a8297db021a73f272431d2706244258402da3e9737f993c975adceb4bd700a743aa5947a6e64d945c1f1112d313a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
7184635d60e25a1d44fd185e7bd5e51d

SHA1
e4277924ed9e24a56019383c3bc2533e782bd598

SHA256
a416aebc4e663b19d0fff0d45d4be169303e7f6ddb841ccc458abb3ead73030f

SHA512
58b66babc716150493ddcf776a815d3d543c7a986522ba28334eea2a003307b10b864e59ffb3975b71076b6d678afa7785fb5b819f6da64d71f7c9d96744595f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
dc1aa398cfa375f38d76204b8e730c57

SHA1
a4224abd455192c2cb6c4bf41b14572c97529b93

SHA256
784af2992dc6d7d9239012b2f3bc6cdb6ed54b79b4207fdf2e69fa9a83f5f501

SHA512
b3f9ee19b8e8754884206cf0c983385827e3d29afe4c6bd0bffd1124c7852b0f2efcda91c5156eae119248416865e1817e58e9d809a1f22b9542886242a5427f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
56fbb6a769ee7dbec8a1b28ebbf2409d

SHA1
c3bea491a5bd25918d177f5f9655ce50746dde97

SHA256
65024bb3113693b656e77397e7410e3d392b4c928402817507779dd493a3b209

SHA512
bc3b3e5195cd3f9908fcc4bf461d1961216a4fda5e9ce647ecc701e5123d30548b8bb2ec14ce2c4ffac076c877e13d251814546b6be4958074cec0335fdc75ab

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
637KB

MD5
0140883b4146976f3ab4ce516aed7b1c

SHA1
f4878acc3bb1725aa337d183c15db1aab716bc07

SHA256
0d8064d2a9a2c8a6fd53240133248fa0e45b51edb6a2066a0cc56b52774927ca

SHA512
b0fe3fa4b8241a8804a707de1fb3eab1dffb68ddc6ccfd5b4db4baafa023b120ec19f788142652c0ba7dbfe7bae9fbad1bd2f3da73ee51c38540220b30702163

Download Submit
\Windows\InstallDir\Server.exe

Filesize
637KB

MD5
be0bb427afb72750a32a7f79b4ba181f

SHA1
e3554be8302b82a84a8170f83b86ef53400b80a0

SHA256
28300a26a2bf7ec64421f75d4cd245a868685e46cfd21dbf421a358990a91df2

SHA512
9079809149bba7cead6623808a38d906ec221f59061194f7b308fef32e01f13dd8a5e3b4f521c5a5557e7dd3dbb61d372516c473b67214b7c527d756ac1dab16

Download Submit
memory/1520-76-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1520-77-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1604-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2244-0-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-19-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-18-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-12-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-11-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-10-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-1-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-5-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2244-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-3-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2632-57-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2632-52-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2632-53-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2632-54-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2632-58-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2656-51-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2680-9-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2716-38-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-34-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-36-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-35-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-39-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2920-33-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3060-17-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download