xtremerat | d65f7bc5cfdd04391c837d0e866d4f8cb1fda856f885c727ab2dcbf13bf8d551

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 09:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
Size

180KB
MD5

fc0a23f153c65c4fcc81881e75facaf2
SHA1

a6fd83e56ad188657970a667f46f4b2abe92d626
SHA256

d65f7bc5cfdd04391c837d0e866d4f8cb1fda856f885c727ab2dcbf13bf8d551
SHA512

c63b880f7f8d78ff28273e17f829e0630ee2934e2ea5d31958e3f72e766b1a456ed252a628c593831c34bbc57871db096aac3eb0380a6758b505e0f4b47fe949
SSDEEP

3072:pYQL7YwLa2TWt+VrqRHgG5FOEYYKvYut1Q:7aYZrqRHuxYK91

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

besbous.no-ip.info

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1812-6-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1812-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2464-12-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1812-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2680-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
2908	Server.exe
2680	Server.exe
2556	Server.exe
2588	Server.exe
540	Server.exe
1480	Server.exe
2020	Server.exe
1516	Server.exe
1144	Server.exe
1756	Server.exe
2836	Server.exe
2160	Server.exe
2428	Server.exe
952	Server.exe
1720	Server.exe
1704	Server.exe
1488	Server.exe
1080	Server.exe
996	Server.exe
1744	Server.exe
1660	Server.exe
2840	Server.exe
1932	Server.exe
1812	Server.exe
1784	Server.exe
2312	Server.exe
2588	Server.exe
2020	Server.exe
1144	Server.exe
2188	Server.exe
1716	Server.exe
1768	Server.exe
556	Server.exe
952	Server.exe
1592	Server.exe
1580	Server.exe
1584	Server.exe
1576	Server.exe
2836	Server.exe
1100	Server.exe
1344	Server.exe
768	Server.exe
1768	Server.exe
2236	Server.exe
2836	Server.exe
2056	Server.exe
1052	Server.exe
1924	Server.exe
3084	Server.exe
3100	Server.exe
3204	Server.exe
3220	Server.exe
3296	Server.exe
3312	Server.exe
3372	Server.exe
3388	Server.exe
3540	Server.exe
3556	Server.exe
3656	Server.exe
3672	Server.exe
3776	Server.exe
3800	Server.exe
3844	Server.exe
3860	Server.exe

Loads dropped DLL 29 IoCs

pid	Process
1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 2908 set thread context of 2680	2908	Server.exe	42
PID 2556 set thread context of 2588	2556	Server.exe	52
PID 540 set thread context of 1480	540	Server.exe	56
PID 2020 set thread context of 1516	2020	Server.exe	70
PID 1144 set thread context of 1756	1144	Server.exe	76
PID 2836 set thread context of 2160	2836	Server.exe	79
PID 2428 set thread context of 952	2428	Server.exe	95
PID 1720 set thread context of 1704	1720	Server.exe	99
PID 1488 set thread context of 1080	1488	Server.exe	102
PID 996 set thread context of 1744	996	Server.exe	124
PID 1660 set thread context of 2840	1660	Server.exe	128
PID 1932 set thread context of 1812	1932	Server.exe	132
PID 1784 set thread context of 2312	1784	Server.exe	152
PID 2588 set thread context of 2020	2588	Server.exe	156
PID 1144 set thread context of 2188	1144	Server.exe	161
PID 1716 set thread context of 1768	1716	Server.exe	180
PID 556 set thread context of 952	556	Server.exe	186
PID 1592 set thread context of 1580	1592	Server.exe	190
PID 1584 set thread context of 1576	1584	Server.exe	207
PID 2836 set thread context of 1100	2836	Server.exe	213
PID 1344 set thread context of 768	1344	Server.exe	217
PID 1768 set thread context of 2236	1768	Server.exe	234
PID 2836 set thread context of 2056	2836	Server.exe	242
PID 1052 set thread context of 1924	1052	Server.exe	248
PID 3084 set thread context of 3100	3084	Server.exe	263
PID 3204 set thread context of 3220	3204	Server.exe	272
PID 3296 set thread context of 3312	3296	Server.exe	278
PID 3372 set thread context of 3388	3372	Server.exe	283
PID 3540 set thread context of 3556	3540	Server.exe	298
PID 3656 set thread context of 3672	3656	Server.exe	307
PID 3776 set thread context of 3800	3776	Server.exe	317
PID 3844 set thread context of 3860	3844	Server.exe	320
PID 4024 set thread context of 4048	4024	Server.exe	337
PID 3088 set thread context of 3116	3088	Server.exe	343
PID 3232 set thread context of 3164	3232	Server.exe	347
PID 3540 set thread context of 3316	3540	Server.exe	359
PID 3392 set thread context of 3796	3392	Server.exe	367
PID 3872 set thread context of 3888	3872	Server.exe	371
PID 1568 set thread context of 3200	1568	Server.exe	385
PID 3116 set thread context of 2328	3116	Server.exe	393
PID 3564 set thread context of 3248	3564	Server.exe	397
PID 2304 set thread context of 1080	2304	Server.exe	411
PID 3348 set thread context of 4048	3348	Server.exe	422
PID 3200 set thread context of 292	3200	Server.exe	428
PID 3432 set thread context of 3540	3432	Server.exe	432
PID 4132 set thread context of 4148	4132	Server.exe	446
PID 4288 set thread context of 4304	4288	Server.exe	460
PID 4380 set thread context of 4400	4380	Server.exe	466
PID 4468 set thread context of 4492	4468	Server.exe	473
PID 4612 set thread context of 4628	4612	Server.exe	484
PID 4772 set thread context of 4796	4772	Server.exe	499
PID 4860 set thread context of 4884	4860	Server.exe	505
PID 5036 set thread context of 5052	5036	Server.exe	513
PID 5112 set thread context of 4128	5112	Server.exe	518
PID 4488 set thread context of 4504	4488	Server.exe	538
PID 4768 set thread context of 4776	4768	Server.exe	546
PID 4876 set thread context of 4908	4876	Server.exe	551
PID 4344 set thread context of 4800	4344	Server.exe	566
PID 4436 set thread context of 3516	4436	Server.exe	575
PID 4620 set thread context of 4476	4620	Server.exe	581
PID 4172 set thread context of 4904	4172	Server.exe	585
PID 5168 set thread context of 5184	5168	Server.exe	602
PID 5300 set thread context of 5316	5300	Server.exe	613

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-2-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1812-6-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1812-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1812-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2464-12-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1812-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2680-25-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2680-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
2908	Server.exe
2556	Server.exe
540	Server.exe
2020	Server.exe
1144	Server.exe
2836	Server.exe
2428	Server.exe
1720	Server.exe
1488	Server.exe
996	Server.exe
1660	Server.exe
1932	Server.exe
1784	Server.exe
2588	Server.exe
1144	Server.exe
1716	Server.exe
556	Server.exe
1592	Server.exe
1584	Server.exe
2836	Server.exe
1344	Server.exe
1768	Server.exe
2836	Server.exe
1052	Server.exe
3084	Server.exe
3204	Server.exe
3296	Server.exe
3372	Server.exe
3540	Server.exe
3656	Server.exe
3776	Server.exe
3844	Server.exe
4024	Server.exe
3088	Server.exe
3232	Server.exe
3540	Server.exe
3392	Server.exe
3872	Server.exe
1568	Server.exe
3116	Server.exe
3564	Server.exe
2304	Server.exe
3348	Server.exe
3200	Server.exe
3432	Server.exe
4132	Server.exe
4288	Server.exe
4380	Server.exe
4468	Server.exe
4612	Server.exe
4772	Server.exe
4860	Server.exe
5036	Server.exe
5112	Server.exe
4488	Server.exe
4768	Server.exe
4876	Server.exe
4344	Server.exe
4436	Server.exe
4620	Server.exe
4172	Server.exe
5168	Server.exe
5300	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1984 wrote to memory of 1812	1984	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	31
PID 1812 wrote to memory of 2464	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2464	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2464	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2464	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2464	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2740	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	33
PID 1812 wrote to memory of 2740	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	33
PID 1812 wrote to memory of 2740	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	33
PID 1812 wrote to memory of 2740	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	33
PID 1812 wrote to memory of 2740	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	33
PID 1812 wrote to memory of 2504	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	34
PID 1812 wrote to memory of 2504	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	34
PID 1812 wrote to memory of 2504	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	34
PID 1812 wrote to memory of 2504	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	34
PID 1812 wrote to memory of 2504	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	34
PID 1812 wrote to memory of 2080	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	35
PID 1812 wrote to memory of 2080	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	35
PID 1812 wrote to memory of 2080	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	35
PID 1812 wrote to memory of 2080	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	35
PID 1812 wrote to memory of 2080	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	35
PID 1812 wrote to memory of 2684	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	36
PID 1812 wrote to memory of 2684	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	36
PID 1812 wrote to memory of 2684	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	36
PID 1812 wrote to memory of 2684	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	36
PID 1812 wrote to memory of 2684	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	36
PID 1812 wrote to memory of 2768	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	37
PID 1812 wrote to memory of 2768	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	37
PID 1812 wrote to memory of 2768	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	37
PID 1812 wrote to memory of 2768	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	37
PID 1812 wrote to memory of 2768	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	37
PID 1812 wrote to memory of 2784	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	38
PID 1812 wrote to memory of 2784	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	38
PID 1812 wrote to memory of 2784	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	38
PID 1812 wrote to memory of 2784	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	38
PID 1812 wrote to memory of 2784	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	38
PID 1812 wrote to memory of 2788	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	39
PID 1812 wrote to memory of 2788	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	39
PID 1812 wrote to memory of 2788	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	39
PID 1812 wrote to memory of 2788	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	39
PID 1812 wrote to memory of 2788	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	39
PID 1812 wrote to memory of 2808	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	40
PID 1812 wrote to memory of 2808	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	40
PID 1812 wrote to memory of 2808	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	40
PID 1812 wrote to memory of 2808	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	40
PID 1812 wrote to memory of 2908	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	41
PID 1812 wrote to memory of 2908	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	41
PID 1812 wrote to memory of 2908	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	41
PID 1812 wrote to memory of 2908	1812	fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe	41
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42
PID 2908 wrote to memory of 2680	2908	Server.exe	42

C:\Users\Admin\AppData\Local\Temp\fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fc0a23f153c65c4fcc81881e75facaf2_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    PID:2464
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:540
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        
        PID:1480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2624
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2596
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2412
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:540
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2160
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2992
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        17⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2660
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        19⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1720
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3520
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        23⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3764
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2836
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1620
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2452
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1916
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1936
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1488
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1932
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2820
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1144
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1312
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:628
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1424
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3184
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3204
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3636
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3656
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4008
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        17⤵
        
        PID:4048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3104
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3112
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        21⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2344
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4100
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4584
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5024
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1592
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2544
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1344
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1688
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3276
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3296
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3508
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3372
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3756
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3776
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2236
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3204
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3844
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4000
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3232
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3632
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Adds Run key to start application
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3212
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3116
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3808
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4268
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4752
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        Adds Run key to start application
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:608
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:296
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5148
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5168
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5596
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5836
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3872
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3800
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3564
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2340
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3200
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4368
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4848
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3116
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3432
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        
        PID:3540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4356
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4468
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4784
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4996
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Adds Run key to start application
        
        PID:5052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4336
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4768
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Adds Run key to start application
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5280
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5300
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5712
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        
        PID:5748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6084
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:6104
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5180
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:5112
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        
        PID:4128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4660
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4876
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2844
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5456
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4172
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5272
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5472
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5528
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5828
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        
        PID:5864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5200
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5188
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:5644
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5324
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:6124
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5956
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:5848
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6252
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:5916
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6072
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:5332
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5732
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        
        PID:5764
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5044
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:5348
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        
        PID:5344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5916
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6496
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:6516
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        Adds Run key to start application
        
        PID:6532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6828
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:6840
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5344
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6176
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6644
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        
        PID:6788
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        19⤵
        Adds Run key to start application
        
        PID:6856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5976
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:5900
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5168
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5308
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5488
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6212
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6588
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:6600
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        
        PID:6616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6764
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6304
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6576
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:6668
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6932
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        
        PID:6944
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6308
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6948
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        11⤵
        Adds Run key to start application
        
        PID:7044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6244
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:6548
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        13⤵
        
        PID:6960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5872
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7012
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7068
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6316
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:6520
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        
        PID:6548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5632
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6900
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:6560
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6336
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      PID:6188
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2504
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2080
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2684
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2808
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\InstallDir\Server.exe
      C:\Windows\InstallDir\Server.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2736
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2752
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2508
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2612
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:852
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0a7de4ea6d11bde3f5c938f7fe990fd3

SHA1
d453629219b3c5373c4a8258891c702349b9609c

SHA256
ec34567237a8f67c37ba6034e3acbb52968175f1bcdf315001766474911b3450

SHA512
5803bce896286a81badf4e20eac9dbb73a740f417716d442c7b00784dce34fc69e22f0916a3d309d727fa727b4a211206f507e2ccfbf414aeb81791376aa7596

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
180KB

MD5
fc0a23f153c65c4fcc81881e75facaf2

SHA1
a6fd83e56ad188657970a667f46f4b2abe92d626

SHA256
d65f7bc5cfdd04391c837d0e866d4f8cb1fda856f885c727ab2dcbf13bf8d551

SHA512
c63b880f7f8d78ff28273e17f829e0630ee2934e2ea5d31958e3f72e766b1a456ed252a628c593831c34bbc57871db096aac3eb0380a6758b505e0f4b47fe949

Download Submit
memory/1812-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1812-6-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1812-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1812-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1812-16-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2464-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2464-12-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2680-25-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2680-30-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads