xtremerat | 2351ea88e204dd23c942610956d2d8a89761794c3db853b55dfd0dd3cd8fb538

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Size

742KB
MD5

409e0a90f1d77bfa0a64162fef75dee5
SHA1

fdd709f4f426784b8deddf13bbc9cc9ee0432b35
SHA256

2351ea88e204dd23c942610956d2d8a89761794c3db853b55dfd0dd3cd8fb538
SHA512

8f884a581eb6f2f910d572607826343b5cabc4ba6bb68f96e2f065c6c7a076492aea175243b21ab84760c1bb0c817af56b5283146c91f49daec500838faa4053
SSDEEP

12288:orgdNDEpK58V1oY++f/P3R6qhBA0fEpRRmh7yu4rLqXTViJ1iiB2tt/7OZSE5hVz:orUdEo+1o2J6qndEpReOuGO4vB2tt/7+

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Deletes itself 1 IoCs

pid	Process
2292	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	mxsetup.exe
1140	MxInstallOnline.exe
1700	Server.exe
2432	Server.exe
992	Server.exe
896	Server.exe
2796	Server.exe
2772	Server.exe
2244	Server.exe
2216	Server.exe
3008	Server.exe
408	Server.exe
684	Server.exe
2132	Server.exe
2672	Server.exe
2680	Server.exe
2940	Server.exe
2936	Server.exe
2168	Server.exe
1952	Server.exe
1528	Server.exe
336	Server.exe
2632	Server.exe
1848	Server.exe
1032	Server.exe
2576	Server.exe
2260	Server.exe
1668	Server.exe
936	Server.exe
2412	Server.exe
1520	Server.exe
2988	Server.exe
984	Server.exe
2256	Server.exe
2692	Server.exe
2380	Server.exe
2944	Server.exe
2828	Server.exe
1616	Server.exe
2700	Server.exe
584	Server.exe
1036	Server.exe
380	Server.exe
2776	Server.exe
992	Server.exe
844	Server.exe
2668	Server.exe
316	Server.exe
2920	Server.exe
2852	Server.exe
1780	Server.exe
1604	Server.exe
1640	Server.exe
2468	Server.exe
1200	Server.exe
2624	Server.exe
892	Server.exe
1300	Server.exe
1920	Server.exe
840	Server.exe
380	Server.exe
2592	Server.exe
2864	Server.exe
2992	Server.exe

Loads dropped DLL 64 IoCs

pid	Process
2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
3068	mxsetup.exe
3068	mxsetup.exe
1140	MxInstallOnline.exe
1140	MxInstallOnline.exe
2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
1700	Server.exe
1700	Server.exe
1700	Server.exe
1700	Server.exe
992	Server.exe
992	Server.exe
992	Server.exe
992	Server.exe
2244	Server.exe
2244	Server.exe
2244	Server.exe
2244	Server.exe
408	Server.exe
408	Server.exe
408	Server.exe
408	Server.exe
2672	Server.exe
2672	Server.exe
2672	Server.exe
2672	Server.exe
2680	Server.exe
2680	Server.exe
2680	Server.exe
2680	Server.exe
1528	Server.exe
1528	Server.exe
1528	Server.exe
1528	Server.exe
1848	Server.exe
1848	Server.exe
1848	Server.exe
1848	Server.exe
2260	Server.exe
2260	Server.exe
2260	Server.exe
2260	Server.exe
2412	Server.exe
2412	Server.exe
2412	Server.exe
2412	Server.exe
1520	Server.exe
1520	Server.exe
1520	Server.exe
1520	Server.exe
2380	Server.exe
2380	Server.exe
2380	Server.exe
2380	Server.exe
1616	Server.exe
1616	Server.exe
1616	Server.exe
1616	Server.exe
380	Server.exe
380	Server.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2128 set thread context of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 1700 set thread context of 2432	1700	Server.exe	73
PID 2432 set thread context of 896	2432	Server.exe	75
PID 896 set thread context of 1884	896	Server.exe	77
PID 992 set thread context of 2796	992	Server.exe	78
PID 2796 set thread context of 2772	2796	Server.exe	79
PID 2244 set thread context of 2216	2244	Server.exe	82
PID 2216 set thread context of 3008	2216	Server.exe	83
PID 408 set thread context of 684	408	Server.exe	107
PID 684 set thread context of 2132	684	Server.exe	110
PID 2672 set thread context of 2940	2672	Server.exe	131
PID 2680 set thread context of 2936	2680	Server.exe	132
PID 2940 set thread context of 2168	2940	Server.exe	133
PID 2936 set thread context of 1952	2936	Server.exe	134
PID 2168 set thread context of 1236	2168	Server.exe	136
PID 1528 set thread context of 336	1528	Server.exe	138
PID 336 set thread context of 2632	336	Server.exe	139
PID 1848 set thread context of 1032	1848	Server.exe	163
PID 1032 set thread context of 2576	1032	Server.exe	164
PID 2260 set thread context of 1668	2260	Server.exe	190
PID 1668 set thread context of 936	1668	Server.exe	195
PID 2412 set thread context of 2988	2412	Server.exe	214
PID 1520 set thread context of 984	1520	Server.exe	215
PID 2988 set thread context of 2256	2988	Server.exe	216
PID 984 set thread context of 2692	984	Server.exe	217
PID 2256 set thread context of 2600	2256	Server.exe	219
PID 2380 set thread context of 2944	2380	Server.exe	221
PID 2944 set thread context of 2828	2944	Server.exe	222
PID 1616 set thread context of 2700	1616	Server.exe	246
PID 2700 set thread context of 584	2700	Server.exe	249
PID 380 set thread context of 2776	380	Server.exe	270
PID 1036 set thread context of 992	1036	Server.exe	271
PID 2776 set thread context of 844	2776	Server.exe	272
PID 992 set thread context of 2668	992	Server.exe	273
PID 844 set thread context of 2196	844	Server.exe	275
PID 316 set thread context of 2920	316	Server.exe	277
PID 2920 set thread context of 2852	2920	Server.exe	278
PID 1780 set thread context of 1604	1780	Server.exe	302
PID 1604 set thread context of 1640	1604	Server.exe	307
PID 2468 set thread context of 2624	2468	Server.exe	326
PID 1200 set thread context of 892	1200	Server.exe	327
PID 2624 set thread context of 1300	2624	Server.exe	328
PID 892 set thread context of 1920	892	Server.exe	329
PID 1300 set thread context of 2672	1300	Server.exe	331
PID 840 set thread context of 380	840	Server.exe	333
PID 380 set thread context of 2592	380	Server.exe	334
PID 2864 set thread context of 2992	2864	Server.exe	358
PID 2992 set thread context of 2876	2992	Server.exe	361
PID 2380 set thread context of 1236	2380	Server.exe	382
PID 2744 set thread context of 2836	2744	Server.exe	383
PID 1236 set thread context of 1472	1236	Server.exe	384
PID 2836 set thread context of 916	2836	Server.exe	385
PID 1472 set thread context of 3048	1472	Server.exe	387
PID 1528 set thread context of 2348	1528	Server.exe	389
PID 2348 set thread context of 1916	2348	Server.exe	390

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001878c-43.dat	nsis_installer_1
behavioral1/files/0x000800000001878c-43.dat	nsis_installer_2
behavioral1/files/0x000500000001a441-139.dat	nsis_installer_1
behavioral1/files/0x000500000001a441-139.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1884	explorer.exe
1236	explorer.exe
2600	explorer.exe
2196	explorer.exe
2672	explorer.exe
3048	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
3008	Server.exe
1236	explorer.exe
2576	Server.exe
2600	explorer.exe
2828	Server.exe
2196	explorer.exe
2852	Server.exe
2672	explorer.exe
2592	Server.exe
3048	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2128	2112	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	30
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 3068	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2656	2128	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2440	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2440	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2440	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2440	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	33
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 3068 wrote to memory of 1140	3068	mxsetup.exe	34
PID 2656 wrote to memory of 2440	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	33
PID 2656 wrote to memory of 288	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	35
PID 2656 wrote to memory of 288	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	35
PID 2656 wrote to memory of 288	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	35
PID 2656 wrote to memory of 288	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	35
PID 2656 wrote to memory of 552	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	36
PID 2656 wrote to memory of 552	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	36
PID 2656 wrote to memory of 552	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	36
PID 2656 wrote to memory of 552	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	36
PID 2656 wrote to memory of 2292	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	37
PID 2656 wrote to memory of 2292	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	37
PID 2656 wrote to memory of 2292	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	37
PID 2656 wrote to memory of 2292	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	37
PID 2656 wrote to memory of 2292	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	37
PID 2656 wrote to memory of 1844	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	38
PID 2656 wrote to memory of 1844	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	38
PID 2656 wrote to memory of 1844	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	38
PID 2656 wrote to memory of 1844	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	38
PID 2656 wrote to memory of 1876	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	39
PID 2656 wrote to memory of 1876	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	39
PID 2656 wrote to memory of 1876	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	39
PID 2656 wrote to memory of 1876	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	39
PID 2656 wrote to memory of 1920	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	40
PID 2656 wrote to memory of 1920	2656	409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\mxsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\mxsetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\MxInstallOnline.exe
      "C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\MxInstallOnline.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\409e0a90f1d77bfa0a64162fef75dee5_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2440
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2056
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:408
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:684
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2776
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2672
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2940
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1236
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1528
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:660
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1932
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2600
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2260
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1668
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1172
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1520
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        
        PID:2692
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2380
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2640
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1616
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2700
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2832
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:380
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2196
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:316
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2112
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2624
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2672
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1780
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2564
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1200
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:892
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:840
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2644
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2744
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:916
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1868
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2380
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3048
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1528
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Adds Run key to start application
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Deletes itself
      PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1032
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2736
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:380
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:408
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2044
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1528
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1700
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2432
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\Language\en.ini

Filesize
3KB

MD5
11182f27c18af8ae16d8e9ecb5d13cb4

SHA1
2b3f01bbfc93abf7114d3088e858c024c4ee2269

SHA256
c8349da0cc664d838cc992e19e59658e0222de9695d1db5174969c4f027dc666

SHA512
90695e726caacdaea36363a6b832d48d758f414a5e3ff2fb8950c36d97a9269b8265faf22d5d6d7c2ffde2fd883129a7f712b65d354a8ea697e22fbc73c03bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\StartMxonline.ini

Filesize
23B

MD5
947708030b99032a0bdd278caa3dc97c

SHA1
4c72b80a0d5fe519f2bcbb1dc4c9a5e0a3fe7f6d

SHA256
b2946511dc16dd97a2b62ae152d6073279e261e8f0b6168c62f29d26c9bcbfe4

SHA512
317db92c2e8860d7e09ccfaa787ef1ea99a699025126a6eb3228cb45c672b64b0dd1656f6ad2f51be737770678ddcf17332debf7e79e0daed7ad4a25246d02d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\MxEncodeS.dll

Filesize
89KB

MD5
e6e9ff42656fba9bc8cc7ac2febfe2d0

SHA1
14f034b295d03a5018765aa1513d9fb7546b5b1d

SHA256
f3e7c33e7c6a9d6f2519bf46322b9c18a2470d66532124f9ede9218313012e16

SHA512
f7bc55163210eae3afefd6fd860bb70e1b79497ac5074f2bb8a0a88540accb328657d446f131ec91b95be93c963f8ee3461e05a47261bcc71e7c28bf9da41230

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\ProgressBk.png

Filesize
201B

MD5
f52340ad4f6b1aa0e5184dd54ae87623

SHA1
a3ee5b0c7a9a29e235aaec727c43ad3d35446d9b

SHA256
97bcdf7d2b41c505506d69eb08d643d31ec32f08e9eb9f2cc9a6d2b05f5fb4f9

SHA512
a74afdd7b046812c4e35a0a02fc7c9cbfe6f1640c03cb72c9663f1d01c1dea964287ffb0fc894dfcbd52545d0c865b32370ecb44d3fc91a4be70ab114cf4d71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\ProgressStep.png

Filesize
159B

MD5
f1db901f48cc3bfd1656c5dc880112d5

SHA1
8e10f2cd53aa654cfcef3a68c3b20c09bad50287

SHA256
7cf5f38a911fe153e9f1b51ab3806b0f5e65fa7a3a6e3a756fc7018300e0a252

SHA512
d5eaf6bc9a57eccb22c9468f65815015981ff2ff572ee8152611af9f8fdb222093b3d20e2629832beaf563f892dd7454064013ae252c40b47538b51f3767bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\background.png

Filesize
1KB

MD5
43cc745297a9ed49bf484da25fea5cc9

SHA1
56e49c38d694eb201eaf26c9dc7bb130523c1cf1

SHA256
81b21b8e9937ae7e66dc5d2187a163d6ba34905afd26e175b72001f2fe51a51d

SHA512
9627b8ede85b5fc944ebde7229b45f194231177d7baac77c84360997ca7395f2bcaa81a17fdd37b255063373a82b40566ba0bf2a2a9ebeb21a1d05518a15ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\close.png

Filesize
347B

MD5
0e2bf9500c9810e540c2f04260b4c9ab

SHA1
5fc89632bf6096ca8fac69a92f62d56fb5dd2ec0

SHA256
1bfc48600788cf5ff0bfdf3fa7b29bff205746b98b1e7a4cd3b34e494cde55e4

SHA512
3f7a8d27629558b53c8a345df251639abad12da82a0ad3b0da222c3836e359eadf8e90763d8a7d23b7c9416df832085c9fd29dccb4f4326317b0c17043d6db4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\close_active.png

Filesize
1KB

MD5
1bf824c445eed11004d1b49960be5b06

SHA1
9ef8c11c5d7542a131e66174230cf12aaa204aa8

SHA256
6fa699af4ed49bab4e9697704e940cc71d3a31c1836c7f95a6795f0e73f511a5

SHA512
4e36697eaa1e57d4ca954da22e6c974ce4441ac201dcd1d91d63d329e326257a1b29fd08c8bfe13d60c953e1ecbc6e2e21bcb6c04badde8f4d741f5f89bb07a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\close_hover.png

Filesize
336B

MD5
2af9d6317e7bb3c9797122a2e37313d1

SHA1
a44ed1fde56610e4cbadac84152edd8889c0bfac

SHA256
a4b0644d1b5189b5bcd09c3fd0120b55eeb20f39546d6705a487a2580c47cc1a

SHA512
daf698a344d0c055d58d63504667d7a6848ac985effd9374f72fa0da4547f9e2dc3f2450734d27b140b601a23f5c53dbe6ca5588e41085a8de8a2ca8338df8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\en.png

Filesize
3KB

MD5
92424a213ef4b40153a9a9904479409b

SHA1
b260b55b8633a6b0a95fc9bae877d510ae63a072

SHA256
4a9ebe695a4f1bd997720072e2891341af0a5a647a6d9268064692ff42df80e0

SHA512
0f777bdaea208e75f00aed9cd8676bf79d757dc5769d0f3306e84734be44f3d79d7c047e281b1fc7309888e3adbe082e7219dffd6cd6031b5fa634f29635ed66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\img\logo.png

Filesize
916B

MD5
5a1cb3aff61c04d831e4dea2b62f3942

SHA1
874eed1183e21f4a856cb97beec6f413724d2ca6

SHA256
16aa579c30d9730f6d735f69060e1fac922a65956409c24904ce3871f5f9bc57

SHA512
9523ae8bb18af7e8ac44330bb329cdde333bf74975a310cc930e51f7789ce28baa4ac61626f2cc49a57bcf98fb3dca8d7ceeea0f7e789e40bd2e3fdf7fdfeb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\inscfg.ini

Filesize
226B

MD5
912d3eae481b7b9342f22fd4f204e34a

SHA1
6dde25fa934e7bf3524f58a6273e256277870b7f

SHA256
c42f49933f29b8119ffae893dfbdf650183b233403cfdd0be009dcb0906aea68

SHA512
58dc9291b5519d627979bd999f04568fcd7b9560b97f7f513e2bed9b12f300c6eae9f8600f12143d60453f2fbbe659e1f13c15919d8b4f834576d2620b73e9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zolizem.wef

Filesize
670KB

MD5
61255b991c241f32e932567c4a395b8d

SHA1
a5611f1de3bd0292b27878c124516e3c2d93b093

SHA256
24d3dad26a6adf8cb9c295175a2736657252c6ce89ba04260ca2d9722759541a

SHA512
db615f1849d78b80a23b798bb2b14ece245c3b3f1b87bc43db0f8c20323addfab24276d026ecf77354426331d1daa2d32096415a06fede8810cd7ce91f79f2c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\GXWB9ipAr9\GXWB9ipAr9.nfo

Filesize
3KB

MD5
cfb22b74b14794a5129ebba4782fe8ef

SHA1
b4f760348b49cbba239d4cd62e588c2049818441

SHA256
3e227f9e22c9c2e71bd0692fa01fba63912a2483b93728a1e1ab9717ba1e37d9

SHA512
2ac32f3d02287fb2bdbe7a6a38151faf24b574313a3ea3818af3844ac9d1c240bbe915e838cfeebfc9fe90d8a1755a946a144abe34bc01b2bcf31de405a3c3d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\GXWB9ipAr9\GXWB9ipAr9.svr

Filesize
346KB

MD5
b6d63330959896290103db9786bd33d6

SHA1
b2558e1b4c6d9e012801a6e6564cf44fa16d6d14

SHA256
38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24

SHA512
54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
742KB

MD5
409e0a90f1d77bfa0a64162fef75dee5

SHA1
fdd709f4f426784b8deddf13bbc9cc9ee0432b35

SHA256
2351ea88e204dd23c942610956d2d8a89761794c3db853b55dfd0dd3cd8fb538

SHA512
8f884a581eb6f2f910d572607826343b5cabc4ba6bb68f96e2f065c6c7a076492aea175243b21ab84760c1bb0c817af56b5283146c91f49daec500838faa4053

Download Submit
\Users\Admin\AppData\Local\Temp\Somebudu.dll

Filesize
5KB

MD5
fa012d4b6012d52ddb5a68cc8c31292c

SHA1
e23498959b742b6c14e122d3d2384ba364da165a

SHA256
abf7143775c079378153f9800fe706ad17b9b1a12d54c8ba2f87164d46f09df0

SHA512
d03736d1294c4f123dcb29d223e5159ec5d01bc69e4d7c158504a2748cf15bb95fb3293137f09cae9bbfff1f1b5a80a6f185ced9e5f33189e0078ac71aaba032

Download Submit
\Users\Admin\AppData\Local\Temp\foleyolet.dll

Filesize
3KB

MD5
17dfc5ea607c7be7441a90bb0f90e388

SHA1
a348f29a39f2e1b8b81f52c8f333909bfdf4f0e9

SHA256
a18b1c6593bda967f15f212bdf63ed5f9032bc945477922807bf7fbc8b9f7cda

SHA512
84cf74275ac905073b50a2ec8438418f21befce1865a5dcfa4d120ba93d5d1297cbbb8211ace4945c44cd5415a135e30fe08def8e4ec92213aa9ba8ffa617a79

Download Submit
\Users\Admin\AppData\Local\Temp\mxsetup.exe

Filesize
292KB

MD5
3bf24a621ead96af3ffa33d1de194eb9

SHA1
a73d862768f79fd17163a8a38604423c6e92beff

SHA256
c05735b853122ab00981fa9bf255590b8c4881dce033bced85d7161ad39aa6c3

SHA512
64b35e269cf148c1399866e6e4ba98ed8dd8d46e817ac7320a2db6d28b5ae8f3bcda39f972890df93c78915a2b4941e06e52c5da550a2196a0d5604304905243

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC86.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\MxHttpRq.dll

Filesize
109KB

MD5
d42caadf2661c604d3641513b91a3125

SHA1
2833d59c4b47ce3ddab24fdebb6bd42e7921bf41

SHA256
a4d7ea08ac9157c4fcd7fb6c68e1f7a7702750c2dd31bd073a5f3fc5c5fa93a2

SHA512
489aa48996497eec2cda5ca48df361c730088720aa762d863f8d81ef412e3ed4a1e2ac7f3b9db215e387c17816fc2410e959004cf219e02b2f20cccc8a14d3aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\install_data\MxInstallOnline.exe

Filesize
400KB

MD5
6d41dc7a96d957cbbe4703e7ec1dcd9f

SHA1
ed590576ad4c43ba777b2498a3fa59ec769d2bc8

SHA256
36251a533d3630d6d3d2280385a20fbd23407d02e5764b44bacc224f916b84d7

SHA512
e3395b45315eaa35c3232fd657af97152c5825226a71df8ae47e1b5e45fdab56bb06f16b2ba7e1ca74dd1c7963f9aff0eac3a53a76cd8e1cf08fb4e6d9b2cc29

Download Submit
\Users\Admin\AppData\Local\Temp\tukadeku.dll

Filesize
3KB

MD5
ca8b761d4d06343c413f8ceea0b63884

SHA1
4601ce2ae93cd729a0c63e4d4cba8bcff53685aa

SHA256
468dee4f6ba0fbe94a878f71b92762ca5e0850187c2be4e0bbec4fc72e20be77

SHA512
1fca2f4b717dcf111082fa40d2141d5fcffad4c64cb3191fb6b03d1345448cfc68e48ee9afb783e0f4e44d7d269153e2c6333b8c714052a43c448fd650067e47

Download Submit
memory/2128-38-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-25-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-22-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-30-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-34-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-39-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-28-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-26-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2292-142-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2440-131-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-64-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-69-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-67-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-62-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-60-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-52-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-58-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-146-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-173-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-56-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2656-54-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download