xtremerat | 3b502edbf977c5a629a89dca66683d9f3c79588b47dcf4177fc492fe01187c43

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Size

457KB
MD5

4af88ef4a6ceca1e24db838015deac2b
SHA1

b0a62cf9928e8d6a424b4d2c962feb127ae0ab5a
SHA256

3b502edbf977c5a629a89dca66683d9f3c79588b47dcf4177fc492fe01187c43
SHA512

8ea3197dc05832b8be3de4b4900af76d989bbbc7645f81966fecfafba3d6acddd79b649037c7169ba4f702d0fdb14d7ec6cd5c460e3b6c5e70dabf64bbe39d3b
SSDEEP

12288:ptCM7BwSFbDUbQqX4l/DfTLZI0l+8Euui04MQp:pNbiX4ljACPfdp

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 54 IoCs

pid	Process
1788	Server.exe
1008	Server.exe
2412	Server.exe
2456	Server.exe
752	Server.exe
2392	Server.exe
2756	Server.exe
2448	Server.exe
1628	Server.exe
2356	Server.exe
2836	Server.exe
780	Server.exe
1040	Server.exe
1748	Server.exe
1288	Server.exe
2884	Server.exe
2620	Server.exe
2592	Server.exe
2600	Server.exe
1900	Server.exe
1976	Server.exe
1788	Server.exe
684	Server.exe
2916	Server.exe
1048	Server.exe
2704	Server.exe
2792	Server.exe
2348	Server.exe
2872	Server.exe
2228	Server.exe
2000	Server.exe
1124	Server.exe
2952	Server.exe
1932	Server.exe
2808	Server.exe
2980	Server.exe
1252	Server.exe
2432	Server.exe
2596	Server.exe
2068	Server.exe
1704	Server.exe
2352	Server.exe
1640	Server.exe
2884	Server.exe
1836	Server.exe
2716	Server.exe
1772	Server.exe
2348	Server.exe
2424	Server.exe
2840	Server.exe
916	Server.exe
1116	Server.exe
976	Server.exe
1580	Server.exe

Loads dropped DLL 64 IoCs

pid	Process
2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
2412	Server.exe
2412	Server.exe
2412	Server.exe
2412	Server.exe
2756	Server.exe
2756	Server.exe
2756	Server.exe
2756	Server.exe
2356	Server.exe
2356	Server.exe
2356	Server.exe
2356	Server.exe
1040	Server.exe
1040	Server.exe
1040	Server.exe
1040	Server.exe
2884	Server.exe
2884	Server.exe
2884	Server.exe
2884	Server.exe
2600	Server.exe
2600	Server.exe
2600	Server.exe
2600	Server.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
2348	Server.exe
2348	Server.exe
2348	Server.exe
2348	Server.exe
2000	Server.exe
2000	Server.exe
2000	Server.exe
2000	Server.exe
1932	Server.exe
1932	Server.exe
1932	Server.exe
1932	Server.exe
1252	Server.exe
1252	Server.exe
1252	Server.exe
1252	Server.exe
2068	Server.exe
2068	Server.exe
2068	Server.exe
2068	Server.exe
1640	Server.exe
1640	Server.exe
1640	Server.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D09FB2FC-118A-4369-8C6E-96FE8A0D4298} = "C:\\Users\\Admin\\AppData\\Roaming\\{D09FB2FC-118A-4369-8C6E-96FE8A0D4298}\\svchost.exe"	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe

Suspicious use of SetThreadContext 43 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2760 set thread context of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 1788 set thread context of 1008	1788	Server.exe	68
PID 1008 set thread context of 2456	1008	Server.exe	70
PID 2456 set thread context of 296	2456	Server.exe	72
PID 2412 set thread context of 752	2412	Server.exe	73
PID 752 set thread context of 2392	752	Server.exe	74
PID 2756 set thread context of 2448	2756	Server.exe	77
PID 2448 set thread context of 1628	2448	Server.exe	78
PID 2356 set thread context of 2836	2356	Server.exe	102
PID 2836 set thread context of 780	2836	Server.exe	103
PID 1040 set thread context of 1748	1040	Server.exe	129
PID 1748 set thread context of 1288	1748	Server.exe	134
PID 2884 set thread context of 2620	2884	Server.exe	152
PID 2620 set thread context of 2592	2620	Server.exe	153
PID 2592 set thread context of 2428	2592	Server.exe	155
PID 2600 set thread context of 1900	2600	Server.exe	157
PID 1900 set thread context of 1976	1900	Server.exe	158
PID 1788 set thread context of 684	1788	Server.exe	182
PID 684 set thread context of 2916	684	Server.exe	183
PID 1048 set thread context of 2704	1048	Server.exe	209
PID 2704 set thread context of 2792	2704	Server.exe	214
PID 2348 set thread context of 2872	2348	Server.exe	232
PID 2872 set thread context of 2228	2872	Server.exe	233
PID 2228 set thread context of 2308	2228	Server.exe	235
PID 2000 set thread context of 1124	2000	Server.exe	237
PID 1124 set thread context of 2952	1124	Server.exe	238
PID 1932 set thread context of 2808	1932	Server.exe	262
PID 2808 set thread context of 2980	2808	Server.exe	263
PID 1252 set thread context of 2432	1252	Server.exe	289
PID 2432 set thread context of 2596	2432	Server.exe	294
PID 2068 set thread context of 1704	2068	Server.exe	312
PID 1704 set thread context of 2352	1704	Server.exe	313
PID 2352 set thread context of 2936	2352	Server.exe	315
PID 1640 set thread context of 2884	1640	Server.exe	317
PID 2884 set thread context of 1836	2884	Server.exe	318
PID 2716 set thread context of 1772	2716	Server.exe	342
PID 1772 set thread context of 2348	1772	Server.exe	343
PID 2424 set thread context of 2840	2424	Server.exe	371
PID 2840 set thread context of 916	2840	Server.exe	374
PID 1116 set thread context of 976	1116	Server.exe	392
PID 976 set thread context of 1580	976	Server.exe	393
PID 1580 set thread context of 2820	1580	Server.exe	395

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000017546-69.dat	nsis_installer_1
behavioral1/files/0x0008000000017546-69.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
296	explorer.exe
2428	explorer.exe
2308	explorer.exe
2936	explorer.exe
2820	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
780	Server.exe
2428	explorer.exe
2916	Server.exe
2308	explorer.exe
2980	Server.exe
2936	explorer.exe
2348	Server.exe
2820	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2760	2096	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2596	2760	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1776	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	32
PID 2596 wrote to memory of 1776	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	32
PID 2596 wrote to memory of 1776	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	32
PID 2596 wrote to memory of 1776	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	32
PID 2596 wrote to memory of 1776	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2840	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2840	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2840	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2840	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2968	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	34
PID 2596 wrote to memory of 2968	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	34
PID 2596 wrote to memory of 2968	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	34
PID 2596 wrote to memory of 2968	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	34
PID 2596 wrote to memory of 2012	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2012	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2012	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2012	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2356	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2356	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2356	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2356	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2544	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2544	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2544	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2544	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2516	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	38
PID 2596 wrote to memory of 2516	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	38
PID 2596 wrote to memory of 2516	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	38
PID 2596 wrote to memory of 2516	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	38
PID 2596 wrote to memory of 2404	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2404	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2404	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2404	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2004	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	40
PID 2596 wrote to memory of 2004	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	40
PID 2596 wrote to memory of 2004	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	40
PID 2596 wrote to memory of 2004	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	40
PID 2596 wrote to memory of 2100	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2100	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2100	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2100	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2080	2596	4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe	42

C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1776
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2412
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2756
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1788
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2204
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2428
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1040
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2744
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2600
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2748
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1788
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2512
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2308
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1048
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2072
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:760
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1932
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2936
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1252
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2568
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1640
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:492
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1508
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2820
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2968
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2356
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1812
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2296
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2144
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2880
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1788
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1008
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Guwapi.umo

Filesize
394KB

MD5
01e195f30b535fe2c6bd19a958809799

SHA1
c0fe3f2d18b630caac7760f1aa48eb1bcce1825f

SHA256
54e3e33bdebf947b15503bb74ab87fcc2b25a5a2d88c287bc35960fdb102b48a

SHA512
c55585f1ca6e42c71f834645f988acbe39d15f7a75f083c5c0f4ae1ba3b19e4be483707b18db36ceb51b30c15412d7e6a3f7a74ed7092b083060da0ffad21466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nusupumewu.dll

Filesize
11KB

MD5
a5be4fbb8fe08060c779ee7f206f7e40

SHA1
0d7cd2613abce8133b2f0e6e88cdca345ce7afaa

SHA256
c01b3508abdfdb58dae16e0de08792a0bb26be7f16d5be9abcbdd3f7fb573810

SHA512
2db534046d3acb226813dc346923e2ae5eb666f3ce5686a7fb66a893e521bd2d17b6fc2c3c7c09fed351cfe535d441d9d85c44ea3ea154e9de83dc50caca42ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\4ZKhD25M\4ZKhD25M.nfo

Filesize
3KB

MD5
4adbc3c8649c774a28c9a2ddcbef5650

SHA1
a085559a45ca7f7de2a55a9d895b7ec57fc8d3c1

SHA256
dd673c84b04cda3df515d3756a52e1b05b57e3e8f56dc442e337f6acccded752

SHA512
7cb75aaf8949f00bbcd20caed0d8532a9c981929029774f86f190a8a1df05d6002cc57ce8442a34728ce11c8f7757a585792d9fa46644c8297fa616878c41d57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\4ZKhD25M\4ZKhD25M.svr

Filesize
346KB

MD5
d66a2c0bab8c432e8db0e0ec5ea7cdd7

SHA1
beae77cb01b5c20095571a848461594d1b8ffb33

SHA256
c3aad752da5499aa3efc4725bda75e3cb5d33ac00ffbd4cfa99fa2a9d2fbf1ab

SHA512
71f22d8e23eda765af102bd2be1d50f630abc06cf494fa03d19276cf8110d5272f5296604395d5a5e8e12009f512df2a66c59581baf813c48b579cbe84446eeb

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
457KB

MD5
4af88ef4a6ceca1e24db838015deac2b

SHA1
b0a62cf9928e8d6a424b4d2c962feb127ae0ab5a

SHA256
3b502edbf977c5a629a89dca66683d9f3c79588b47dcf4177fc492fe01187c43

SHA512
8ea3197dc05832b8be3de4b4900af76d989bbbc7645f81966fecfafba3d6acddd79b649037c7169ba4f702d0fdb14d7ec6cd5c460e3b6c5e70dabf64bbe39d3b

Download Submit
\Users\Admin\AppData\Local\Temp\Penamogodiy.dll

Filesize
3KB

MD5
327d5dabafb66291d1203a94a63ef331

SHA1
d691cb16ec44deafdf02954f3421d2dd24f3f6a7

SHA256
43f8f8e793c3db3cc526872c8fa847850757e14034b7749da0dfc69589ab176c

SHA512
4935a6fa8f8a6efe02879c7285ae8bb111f6f937d83c46f77add46ee77686be13e5e28d9f662db7843e45a47787a728a558edd33e808718e5e2e17e4b769ecfe

Download Submit
\Users\Admin\AppData\Local\Temp\Zomafoyi.dll

Filesize
3KB

MD5
ec2842e7e52ccfe32c3e9a18120b197e

SHA1
7106a5ba84c41d270948eb7d820322346c55e91b

SHA256
cfefaef13e409dc106c18947038fde35616b72ba5d7f63a09665e1ece1aa49be

SHA512
15999656ce30451d3e4fff18062a96aa84b13b68434f7af0fcf3e6fd04971906a85cb144bf2e2a6f7bfb907fd81fd7bf252f0f3823c5b9ef6bf60be6890d873e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7540.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/296-162-0x0000000001610000-0x0000000001715000-memory.dmp

Filesize
1.0MB

Download
memory/1776-70-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/1776-68-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2096-27-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2596-50-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-51-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-78-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-48-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2596-61-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-60-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-57-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-54-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-53-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-52-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-73-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2596-49-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/2760-32-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-36-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-28-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-41-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2760-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download