xtremerat | 78a8896135b387b751e983d702fade8c51c3bbeebc68a81e6926516ef2b660cf

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Size

668KB
MD5

de4dbe31920f4f6ee1cc076b9e6e854b
SHA1

6ceb15b4031f43fc631fab5ea73f47cd932944e4
SHA256

78a8896135b387b751e983d702fade8c51c3bbeebc68a81e6926516ef2b660cf
SHA512

eab33ed6df08b322c9e41ae857fd14978bb1841c6f361a7ac92cd441dba8850e4dbd5f7606a53285c3404b9c79edf5312d708ad2e8bbc06065cd0217461c132c
SSDEEP

12288:POqBSJNJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYMm:2CScE7z193Rit8UJ62BmhgRm

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

bilou04.no-ip.org

Signatures

Detect XtremeRAT payload 10 IoCs

resource	yara_rule
behavioral1/memory/1824-4-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-14-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-18-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-12-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-10-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-7-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-2-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/2752-27-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-32-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat
behavioral1/memory/1824-38-0x0000000000C80000-0x0000000000CE9000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MQ2166SW-OVQW-SESQ-R5V6-21OKTAN514Q7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Executes dropped EXE 27 IoCs

pid	Process
2712	Server.exe
2824	Server.exe
340	Server.exe
2828	Server.exe
1788	Server.exe
1912	Server.exe
276	Server.exe
1804	Server.exe
3048	Server.exe
2944	Server.exe
2484	Server.exe
2264	Server.exe
2684	Server.exe
1648	Server.exe
1632	Server.exe
600	Server.exe
1144	Server.exe
1976	Server.exe
2840	Server.exe
2328	Server.exe
2408	Server.exe
2880	Server.exe
2812	Server.exe
2696	Server.exe
2556	Server.exe
920	Server.exe
2944	Server.exe

Loads dropped DLL 15 IoCs

pid	Process
1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 2712 set thread context of 2828	2712	Server.exe	67
PID 2828 set thread context of 2476	2828	Server.exe	69
PID 2824 set thread context of 1788	2824	Server.exe	70
PID 340 set thread context of 276	340	Server.exe	72
PID 276 set thread context of 1628	276	Server.exe	74
PID 1912 set thread context of 1804	1912	Server.exe	75
PID 3048 set thread context of 2264	3048	Server.exe	79
PID 2264 set thread context of 1808	2264	Server.exe	81
PID 2944 set thread context of 2684	2944	Server.exe	82
PID 2484 set thread context of 1648	2484	Server.exe	83
PID 1648 set thread context of 692	1648	Server.exe	85
PID 1632 set thread context of 1976	1632	Server.exe	89
PID 1976 set thread context of 1624	1976	Server.exe	91
PID 600 set thread context of 2840	600	Server.exe	92
PID 1144 set thread context of 2328	1144	Server.exe	93
PID 2328 set thread context of 1660	2328	Server.exe	95
PID 2880 set thread context of 2556	2880	Server.exe	100
PID 2556 set thread context of 2396	2556	Server.exe	102
PID 2408 set thread context of 920	2408	Server.exe	103
PID 920 set thread context of 2992	920	Server.exe	105
PID 2812 set thread context of 2944	2812	Server.exe	106

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-73-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-71-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-80-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-79-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-78-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-75-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-81-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-82-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-83-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2476-84-0x0000000001610000-0x0000000001712000-memory.dmp	upx

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2476	explorer.exe
1628	explorer.exe
1808	explorer.exe
692	explorer.exe
1624	explorer.exe
1660	explorer.exe
2396	explorer.exe
2992	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
2476	explorer.exe
1628	explorer.exe
1628	explorer.exe
1808	explorer.exe
692	explorer.exe
1624	explorer.exe
1624	explorer.exe
1660	explorer.exe
2992	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1824	1800	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	30
PID 1824 wrote to memory of 2752	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	32
PID 1824 wrote to memory of 2752	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	32
PID 1824 wrote to memory of 2752	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	32
PID 1824 wrote to memory of 2752	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	32
PID 1824 wrote to memory of 2752	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	32
PID 1824 wrote to memory of 2880	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2880	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2880	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2880	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2884	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	34
PID 1824 wrote to memory of 2884	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	34
PID 1824 wrote to memory of 2884	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	34
PID 1824 wrote to memory of 2884	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	34
PID 1824 wrote to memory of 2928	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	35
PID 1824 wrote to memory of 2928	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	35
PID 1824 wrote to memory of 2928	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	35
PID 1824 wrote to memory of 2928	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	35
PID 1824 wrote to memory of 3012	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	36
PID 1824 wrote to memory of 3012	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	36
PID 1824 wrote to memory of 3012	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	36
PID 1824 wrote to memory of 3012	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	36
PID 1824 wrote to memory of 2764	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	37
PID 1824 wrote to memory of 2764	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	37
PID 1824 wrote to memory of 2764	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	37
PID 1824 wrote to memory of 2764	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	37
PID 1824 wrote to memory of 2716	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	38
PID 1824 wrote to memory of 2716	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	38
PID 1824 wrote to memory of 2716	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	38
PID 1824 wrote to memory of 2716	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	38
PID 1824 wrote to memory of 2312	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	39
PID 1824 wrote to memory of 2312	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	39
PID 1824 wrote to memory of 2312	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	39
PID 1824 wrote to memory of 2312	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	39
PID 1824 wrote to memory of 2096	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	40
PID 1824 wrote to memory of 2096	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	40
PID 1824 wrote to memory of 2096	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	40
PID 1824 wrote to memory of 2096	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	40
PID 1824 wrote to memory of 3000	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	41
PID 1824 wrote to memory of 3000	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	41
PID 1824 wrote to memory of 3000	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	41
PID 1824 wrote to memory of 3000	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	41
PID 1824 wrote to memory of 2772	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	42
PID 1824 wrote to memory of 2772	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	42
PID 1824 wrote to memory of 2772	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	42
PID 1824 wrote to memory of 2772	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	42
PID 1824 wrote to memory of 2648	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	43
PID 1824 wrote to memory of 2648	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	43
PID 1824 wrote to memory of 2648	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	43
PID 1824 wrote to memory of 2648	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	43
PID 1824 wrote to memory of 2428	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	44
PID 1824 wrote to memory of 2428	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	44
PID 1824 wrote to memory of 2428	1824	de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\de4dbe31920f4f6ee1cc076b9e6e854b_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2752
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2824
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:340
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1100
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1628
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1912
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3048
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1808
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2944
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2484
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:692
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1632
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1068
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1624
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:600
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:544
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1660
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2540
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2992
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2880
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2812
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2928
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2312
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2648
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2616
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2632
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2136
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2664
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:524
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:664
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2712
  - - C:\Windows\InstallDir\Server.exe
      C:\Windows\InstallDir\Server.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Qfw1SuG.cfg

Filesize
1KB

MD5
23134df96547b361c8591e8cf4a590a6

SHA1
abd3bd6064ffefd50f99f29a3777c227b4a1f200

SHA256
c3cd3b7a3c9ca317ba155247e1d59753ffaa0e4e0ee594a816655dd9550e158e

SHA512
326745ea4afb2fcb1248a857e08314f9d60e555bc6dfa5ddc077974fb9995456f422cd338d3d31865175e02e14910fac5d52602a63856882c345a30b34d4722d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Qfw1SuG.dat

Filesize
2B

MD5
84cad01fdb44ae58dbe6c3973dcd87f5

SHA1
4700b42849fb35be323774820bf1bc8019d26c80

SHA256
8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6

SHA512
6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Qfw1SuG.xtr

Filesize
343KB

MD5
6426d400c96fb9ffef4eaa54f6647f4c

SHA1
70a37871aff432790b6adf7d3fc4eb929476e082

SHA256
98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c

SHA512
2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
668KB

MD5
de4dbe31920f4f6ee1cc076b9e6e854b

SHA1
6ceb15b4031f43fc631fab5ea73f47cd932944e4

SHA256
78a8896135b387b751e983d702fade8c51c3bbeebc68a81e6926516ef2b660cf

SHA512
eab33ed6df08b322c9e41ae857fd14978bb1841c6f361a7ac92cd441dba8850e4dbd5f7606a53285c3404b9c79edf5312d708ad2e8bbc06065cd0217461c132c

Download Submit
memory/1800-29-0x0000000023240000-0x000000002326A000-memory.dmp

Filesize
168KB

Download
memory/1824-12-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1824-2-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-1-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-7-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-10-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-0-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-32-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-18-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-38-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-14-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/1824-4-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/2476-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-75-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-70-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-80-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-79-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-78-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-73-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-71-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-81-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-82-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-83-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-84-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2476-87-0x00000000042B0000-0x00000000042B2000-memory.dmp

Filesize
8KB

Download
memory/2712-48-0x0000000023240000-0x000000002326A000-memory.dmp

Filesize
168KB

Download
memory/2752-27-0x0000000000C80000-0x0000000000CE9000-memory.dmp

Filesize
420KB

Download
memory/2824-85-0x0000000023240000-0x000000002326A000-memory.dmp

Filesize
168KB

Download