xtremerat | 56744b15681e76b326b8d8a51d47a28a3c102bf3bb04c776ad6340f3c86b8f93

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Size

1.4MB
MD5

52171c1b12574958a59d8ca87abfada6
SHA1

e79f89e3285fc44a8716cc38de70cd0a6a9437b4
SHA256

56744b15681e76b326b8d8a51d47a28a3c102bf3bb04c776ad6340f3c86b8f93
SHA512

95033c47d22e2371c5746afb519ccfd00f6675b605356b384378f27e3609276809d8fbeea07561320d117108afc3a7d821be0aac7dd7c6fff0d565ae83815853
SSDEEP

24576:R9Oq+q3BODItgPHVW0XTD/HkXemkf8Ej9IicA+k9s6po8SCf:R9OJIOZMGD/HQLY9hcAH9Xo8J

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

mody122.no-ip.biz

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2860-16-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2860-17-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2860-18-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2860-21-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2860-33-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 58 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8X75026G-4O1T-7J32-E2UP-7L2U62WSKVR3}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
3012	Server.exe
528	Server.exe
924	Server.exe
3040	Server.exe
2260	Server.exe
2028	Server.exe
1940	Server.exe
1776	Server.exe
1264	Server.exe
2484	Server.exe
2312	Server.exe
1484	Server.exe
1616	Server.exe
2080	Server.exe
1544	Server.exe
2096	Server.exe
2420	Server.exe
2228	Server.exe
1576	Server.exe
1716	Server.exe
2580	Server.exe
3028	Server.exe
772	Server.exe
1492	Server.exe
308	Server.exe
2880	Server.exe
2872	Server.exe
1572	Server.exe
2032	Server.exe
1788	Server.exe
1864	Server.exe
1780	Server.exe
792	Server.exe
2380	Server.exe
876	Server.exe
2844	Server.exe
2860	Server.exe
532	Server.exe
264	Server.exe
1188	Server.exe
2396	Server.exe
2368	Server.exe
1864	Server.exe
2808	Server.exe
1552	Server.exe
2832	Server.exe
392	Server.exe
2292	Server.exe
3036	Server.exe
2632	Server.exe
2136	Server.exe
1664	Server.exe
1944	Server.exe
2828	Server.exe
1376	Server.exe
2180	Server.exe
108	Server.exe
2448	Server.exe
1544	Server.exe
2240	Server.exe
2476	Server.exe
2028	Server.exe
1748	Server.exe
2688	Server.exe

Loads dropped DLL 4 IoCs

pid	Process
2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
3012	Server.exe
528	Server.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 58 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2940 set thread context of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 3012 set thread context of 528	3012	Server.exe	41
PID 528 set thread context of 924	528	Server.exe	42
PID 3040 set thread context of 2260	3040	Server.exe	52
PID 2260 set thread context of 2028	2260	Server.exe	53
PID 1940 set thread context of 1776	1940	Server.exe	63
PID 1776 set thread context of 1264	1776	Server.exe	64
PID 2484 set thread context of 2312	2484	Server.exe	74
PID 2312 set thread context of 1484	2312	Server.exe	75
PID 1616 set thread context of 2080	1616	Server.exe	86
PID 2080 set thread context of 1544	2080	Server.exe	87
PID 2096 set thread context of 2420	2096	Server.exe	97
PID 2420 set thread context of 2228	2420	Server.exe	98
PID 1576 set thread context of 1716	1576	Server.exe	108
PID 1716 set thread context of 2580	1716	Server.exe	109
PID 3028 set thread context of 772	3028	Server.exe	119
PID 772 set thread context of 1492	772	Server.exe	120
PID 308 set thread context of 2880	308	Server.exe	130
PID 2880 set thread context of 2872	2880	Server.exe	131
PID 1572 set thread context of 2032	1572	Server.exe	141
PID 2032 set thread context of 1788	2032	Server.exe	142
PID 1864 set thread context of 1780	1864	Server.exe	152
PID 1780 set thread context of 792	1780	Server.exe	153
PID 2380 set thread context of 876	2380	Server.exe	163
PID 876 set thread context of 2844	876	Server.exe	164
PID 2860 set thread context of 532	2860	Server.exe	174
PID 532 set thread context of 264	532	Server.exe	175
PID 1188 set thread context of 2396	1188	Server.exe	185
PID 2396 set thread context of 2368	2396	Server.exe	186
PID 1864 set thread context of 2808	1864	Server.exe	196
PID 2808 set thread context of 1552	2808	Server.exe	197
PID 2832 set thread context of 392	2832	Server.exe	207
PID 392 set thread context of 2292	392	Server.exe	208
PID 3036 set thread context of 2632	3036	Server.exe	218
PID 2632 set thread context of 2136	2632	Server.exe	219
PID 1664 set thread context of 1944	1664	Server.exe	229
PID 1944 set thread context of 2828	1944	Server.exe	230
PID 1376 set thread context of 2180	1376	Server.exe	240
PID 2180 set thread context of 108	2180	Server.exe	241
PID 2448 set thread context of 1544	2448	Server.exe	251
PID 1544 set thread context of 2240	1544	Server.exe	252
PID 2476 set thread context of 2028	2476	Server.exe	262
PID 2028 set thread context of 1748	2028	Server.exe	263
PID 2688 set thread context of 108	2688	Server.exe	273
PID 108 set thread context of 2656	108	Server.exe	274
PID 3096 set thread context of 3104	3096	Server.exe	284
PID 3104 set thread context of 3156	3104	Server.exe	285
PID 3280 set thread context of 3288	3280	Server.exe	295
PID 3288 set thread context of 3340	3288	Server.exe	296
PID 3464 set thread context of 3476	3464	Server.exe	306
PID 3476 set thread context of 3528	3476	Server.exe	307
PID 3648 set thread context of 3660	3648	Server.exe	317
PID 3660 set thread context of 3712	3660	Server.exe	318
PID 3840 set thread context of 3848	3840	Server.exe	328
PID 3848 set thread context of 3900	3848	Server.exe	329
PID 4020 set thread context of 4028	4020	Server.exe	339
PID 4028 set thread context of 4080	4028	Server.exe	340

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
528	Server.exe
2260	Server.exe
1776	Server.exe
2312	Server.exe
2080	Server.exe
2420	Server.exe
1716	Server.exe
772	Server.exe
2880	Server.exe
2032	Server.exe
1780	Server.exe
876	Server.exe
532	Server.exe
2396	Server.exe
2808	Server.exe
392	Server.exe
2632	Server.exe
1944	Server.exe
2180	Server.exe
1544	Server.exe
2028	Server.exe
108	Server.exe
3104	Server.exe
3288	Server.exe
3476	Server.exe
3660	Server.exe
3848	Server.exe
4028	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2940	2768	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	30
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2860	2940	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2740	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2740	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2740	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2740	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2740	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2628	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2628	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2628	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2628	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2628	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	33
PID 2860 wrote to memory of 1976	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	34
PID 2860 wrote to memory of 1976	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	34
PID 2860 wrote to memory of 1976	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	34
PID 2860 wrote to memory of 1976	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	34
PID 2860 wrote to memory of 1976	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2576	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2576	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2576	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2576	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2576	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2584	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2584	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2584	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2584	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2584	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2592	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	37
PID 2860 wrote to memory of 2592	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	37
PID 2860 wrote to memory of 2592	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	37
PID 2860 wrote to memory of 2592	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	37
PID 2860 wrote to memory of 2592	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	37
PID 2860 wrote to memory of 2624	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	38
PID 2860 wrote to memory of 2624	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	38
PID 2860 wrote to memory of 2624	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	38
PID 2860 wrote to memory of 2624	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	38
PID 2860 wrote to memory of 2624	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	38
PID 2860 wrote to memory of 2644	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	39
PID 2860 wrote to memory of 2644	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	39
PID 2860 wrote to memory of 2644	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	39
PID 2860 wrote to memory of 2644	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	39
PID 2860 wrote to memory of 3012	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	40
PID 2860 wrote to memory of 3012	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	40
PID 2860 wrote to memory of 3012	2860	52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\52171c1b12574958a59d8ca87abfada6_JaffaCakes118.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2584
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2624
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2644
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3012
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:528
      - C:\Windows\InstallDir\Server.exe
        
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2552
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3040
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\InstallDir\Server.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2192
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\InstallDir\Server.exe
        
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2392
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2484
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\InstallDir\Server.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:992
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1616
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\InstallDir\Server.exe
        
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1644
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\InstallDir\Server.exe
        
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3052
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\InstallDir\Server.exe
        
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2144
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\InstallDir\Server.exe
        
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2116
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\InstallDir\Server.exe
        
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1144
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\InstallDir\Server.exe
        
        33⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:1960
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\InstallDir\Server.exe
        
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2452
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\InstallDir\Server.exe
        
        39⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        40⤵
        
        PID:2524
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\InstallDir\Server.exe
        
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1084
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1188
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\InstallDir\Server.exe
        
        45⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:2388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:1656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:3064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:1808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        46⤵
        
        PID:1036
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1864
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\InstallDir\Server.exe
        
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2852
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\InstallDir\Server.exe
        
        51⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:1096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:1120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        52⤵
        
        PID:836
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\InstallDir\Server.exe
        
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:1284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:624
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\InstallDir\Server.exe
        
        57⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:2756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:1732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:3028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        58⤵
        
        PID:1332
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\InstallDir\Server.exe
        
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:1820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2448
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\InstallDir\Server.exe
        
        63⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:1184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:1340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:2292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        64⤵
        
        PID:920
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\InstallDir\Server.exe
        
        66⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:1420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:1040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:2304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:2732
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        67⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        68⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Windows\InstallDir\Server.exe
        
        69⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        70⤵
        
        PID:3084
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        70⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Windows\InstallDir\Server.exe
        
        72⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        73⤵
        
        PID:3268
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        74⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        C:\Windows\InstallDir\Server.exe
        
        75⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        76⤵
        
        PID:3452
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        76⤵
        Suspicious use of SetThreadContext
        
        PID:3464
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Windows\InstallDir\Server.exe
        
        78⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        79⤵
        
        PID:3636
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        80⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Windows\InstallDir\Server.exe
        
        81⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        82⤵
        
        PID:3824
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        82⤵
        Suspicious use of SetThreadContext
        
        PID:3840
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        C:\Windows\InstallDir\Server.exe
        
        84⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        85⤵
        
        PID:4008
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        86⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4028
        
        C:\Windows\InstallDir\Server.exe
        
        87⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        88⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        88⤵
        
        PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\cRF1eAcuL.cfg

Filesize
1KB

MD5
d3dcc62bfb6440d912465a791bbfc596

SHA1
2f0a4ba177c4143a39f564d109894a9e922fcbf3

SHA256
c1e22155c2fd52282e7d1217c615f67f7d1394b954bfcda4c12660ad6ba9aaa3

SHA512
bf77afed93f018cd8bbbee8c4296b943391665dd4d83a757a4259a1eddaa6b96aa60109e63daa2108dba0aae4ead9ecf4427ac69c843ad7299176f58915f4a8d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
1.4MB

MD5
52171c1b12574958a59d8ca87abfada6

SHA1
e79f89e3285fc44a8716cc38de70cd0a6a9437b4

SHA256
56744b15681e76b326b8d8a51d47a28a3c102bf3bb04c776ad6340f3c86b8f93

SHA512
95033c47d22e2371c5746afb519ccfd00f6675b605356b384378f27e3609276809d8fbeea07561320d117108afc3a7d821be0aac7dd7c6fff0d565ae83815853

Download Submit
memory/528-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-88-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2260-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2860-16-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2860-17-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2860-18-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2860-33-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2860-21-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2940-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-34-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3012-49-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/3040-68-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads