xtremerat | 5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
Size

279KB
MD5

60346d6d7471ce30de99997efaf63006
SHA1

97edc6484b68609a483950fc88dbc8fd885997d1
SHA256

5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb
SHA512

f8dcc57e1662e45fa3b7bb69569113e5a863a6ff6c84ab6eed28982e8bac6d5fb722595450e0509d996654b72481fa15383a5344a3d401f57ca575c8620771e7
SSDEEP

6144:VAbjy/ALTraclI9AOveibOH3oxrqFNCapD7Vz1iRVfotU:V2jy4L/JlI91veibKY5q2apD7RYf+U

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2192-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2192-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1996-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2192-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	Server.exe
2796	Server.exe
2852	Server.exe
1492	Server.exe
2124	Server.exe
2040	Server.exe
2896	Server.exe
2784	Server.exe
604	Server.exe
1416	Server.exe
1836	Server.exe
1648	Server.exe
996	Server.exe
2324	Server.exe
888	Server.exe
1516	Server.exe
1076	Server.exe
1792	Server.exe
884	Server.exe
1840	Server.exe
1820	Server.exe
1268	Server.exe
2620	Server.exe
2408	Server.exe
992	Server.exe
1416	Server.exe
2312	Server.exe
2092	Server.exe
892	Server.exe
604	Server.exe
756	Server.exe
2864	Server.exe
1540	Server.exe
1880	Server.exe
276	Server.exe
2896	Server.exe
1048	Server.exe
2836	Server.exe
1980	Server.exe
2040	Server.exe
2172	Server.exe
2096	Server.exe
2132	Server.exe
2584	Server.exe
1356	Server.exe
1652	Server.exe
840	Server.exe
2432	Server.exe
788	Server.exe
1856	Server.exe
1540	Server.exe
2124	Server.exe
2384	Server.exe
1792	Server.exe
1992	Server.exe
1720	Server.exe
1864	Server.exe
2636	Server.exe
2888	Server.exe
392	Server.exe
1812	Server.exe
2612	Server.exe
1504	Server.exe
632	Server.exe

Loads dropped DLL 64 IoCs

pid	Process
2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
2852	Server.exe
2852	Server.exe
1492	Server.exe
1996	svchost.exe
1996	svchost.exe
2040	Server.exe
2040	Server.exe
1996	svchost.exe
1996	svchost.exe
1648	Server.exe
888	Server.exe
1792	Server.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
2584	Server.exe
2584	Server.exe
840	Server.exe
840	Server.exe
1856	Server.exe
1856	Server.exe
1996	svchost.exe
1996	svchost.exe
2888	Server.exe
2612	Server.exe
392	Server.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
2244	Server.exe
1996	svchost.exe
1996	svchost.exe
2364	Server.exe
2364	Server.exe
1996	svchost.exe
1996	svchost.exe
5448	Server.exe
5644	Server.exe
1996	svchost.exe
1996	svchost.exe
6116	Server.exe
6116	Server.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe
1996	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Process not Found
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2796 set thread context of 2852	2796	Server.exe	43
PID 2124 set thread context of 2040	2124	Server.exe	55
PID 2784 set thread context of 604	2784	Server.exe	59
PID 1836 set thread context of 1648	1836	Server.exe	76
PID 2324 set thread context of 888	2324	Server.exe	81
PID 1076 set thread context of 1792	1076	Server.exe	86
PID 1840 set thread context of 1820	1840	Server.exe	108
PID 2620 set thread context of 2408	2620	Server.exe	114
PID 1416 set thread context of 2312	1416	Server.exe	119
PID 892 set thread context of 604	892	Server.exe	122
PID 2864 set thread context of 1540	2864	Server.exe	150
PID 276 set thread context of 2896	276	Server.exe	157
PID 2836 set thread context of 1980	2836	Server.exe	163
PID 2132 set thread context of 2584	2132	Server.exe	187
PID 1652 set thread context of 840	1652	Server.exe	193
PID 788 set thread context of 1856	788	Server.exe	197
PID 2124 set thread context of 2384	2124	Server.exe	204
PID 1992 set thread context of 1720	1992	Server.exe	229
PID 2636 set thread context of 2888	2636	Server.exe	236
PID 1812 set thread context of 2612	1812	Server.exe	240
PID 632 set thread context of 2040	632	Server.exe	247
PID 1648 set thread context of 392	1648	Server.exe	253
PID 2860 set thread context of 3084	2860	Server.exe	276
PID 3236 set thread context of 3300	3236	Server.exe	283
PID 3396 set thread context of 3476	3396	Server.exe	289
PID 3624 set thread context of 3680	3624	Server.exe	297
PID 3768 set thread context of 3828	3768	Server.exe	301
PID 3040 set thread context of 3116	3040	Server.exe	328
PID 2836 set thread context of 3320	2836	Server.exe	332
PID 3504 set thread context of 1616	3504	Server.exe	342
PID 3668 set thread context of 3748	3668	Server.exe	346
PID 3880 set thread context of 2636	3880	Server.exe	352
PID 3456 set thread context of 3544	3456	Server.exe	380
PID 3648 set thread context of 3780	3648	Server.exe	385
PID 3112 set thread context of 3776	3112	Server.exe	396
PID 3588 set thread context of 3640	3588	Server.exe	399
PID 3532 set thread context of 3204	3532	Server.exe	407
PID 3592 set thread context of 3408	3592	Server.exe	411
PID 3508 set thread context of 3740	3508	Server.exe	442
PID 3528 set thread context of 3712	3528	Server.exe	449
PID 4152 set thread context of 4208	4152	Server.exe	460
PID 4324 set thread context of 4396	4324	Server.exe	468
PID 4468 set thread context of 4552	4468	Server.exe	472
PID 4664 set thread context of 4720	4664	Server.exe	478
PID 5008 set thread context of 5068	5008	Server.exe	505
PID 4172 set thread context of 4244	4172	Server.exe	512
PID 4464 set thread context of 4564	4464	Server.exe	527
PID 4660 set thread context of 4728	4660	Server.exe	531
PID 5088 set thread context of 3708	5088	Server.exe	539
PID 4172 set thread context of 4276	4172	Server.exe	545
PID 4548 set thread context of 4636	4548	Server.exe	550
PID 4216 set thread context of 4720	4216	Server.exe	576
PID 4596 set thread context of 4732	4596	Server.exe	585
PID 4472 set thread context of 4712	4472	Server.exe	601
PID 5092 set thread context of 2244	5092	Server.exe	637
PID 4276 set thread context of 2364	4276	Server.exe	648
PID 4696 set thread context of 5132	4696	Server.exe	652
PID 5384 set thread context of 5448	5384	Server.exe	670
PID 5580 set thread context of 5644	5580	Server.exe	675
PID 5884 set thread context of 5948	5884	Server.exe	693
PID 6056 set thread context of 6116	6056	Server.exe	697
PID 3624 set thread context of 5380	3624	Server.exe	701
PID 5624 set thread context of 5700	5624	Server.exe	725

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-17-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-13-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-21-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-23-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1996-32-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2192-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\0 = 709c39e0dc721cb2d18b0dee94b64d0cc85bcbd7698776c03b	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}	Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
Token: SeIncBasePriorityPrivilege	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
Token: 33	2796	Server.exe
Token: SeIncBasePriorityPrivilege	2796	Server.exe
Token: 33	2124	Server.exe
Token: SeIncBasePriorityPrivilege	2124	Server.exe
Token: 33	2784	Server.exe
Token: SeIncBasePriorityPrivilege	2784	Server.exe
Token: 33	1836	Server.exe
Token: SeIncBasePriorityPrivilege	1836	Server.exe
Token: 33	2324	Server.exe
Token: SeIncBasePriorityPrivilege	2324	Server.exe
Token: 33	1076	Server.exe
Token: SeIncBasePriorityPrivilege	1076	Server.exe
Token: 33	1840	Server.exe
Token: SeIncBasePriorityPrivilege	1840	Server.exe
Token: 33	2620	Server.exe
Token: SeIncBasePriorityPrivilege	2620	Server.exe
Token: 33	1416	Server.exe
Token: SeIncBasePriorityPrivilege	1416	Server.exe
Token: 33	892	Server.exe
Token: SeIncBasePriorityPrivilege	892	Server.exe
Token: 33	2864	Server.exe
Token: SeIncBasePriorityPrivilege	2864	Server.exe
Token: 33	276	Server.exe
Token: SeIncBasePriorityPrivilege	276	Server.exe
Token: 33	2836	Server.exe
Token: SeIncBasePriorityPrivilege	2836	Server.exe
Token: 33	2132	Server.exe
Token: SeIncBasePriorityPrivilege	2132	Server.exe
Token: 33	1652	Server.exe
Token: SeIncBasePriorityPrivilege	1652	Server.exe
Token: 33	788	Server.exe
Token: SeIncBasePriorityPrivilege	788	Server.exe
Token: 33	2124	Server.exe
Token: SeIncBasePriorityPrivilege	2124	Server.exe
Token: 33	1992	Server.exe
Token: SeIncBasePriorityPrivilege	1992	Server.exe
Token: 33	2636	Server.exe
Token: SeIncBasePriorityPrivilege	2636	Server.exe
Token: 33	1812	Server.exe
Token: SeIncBasePriorityPrivilege	1812	Server.exe
Token: 33	632	Server.exe
Token: SeIncBasePriorityPrivilege	632	Server.exe
Token: 33	1648	Server.exe
Token: SeIncBasePriorityPrivilege	1648	Server.exe
Token: 33	2860	Server.exe
Token: SeIncBasePriorityPrivilege	2860	Server.exe
Token: 33	3236	Server.exe
Token: SeIncBasePriorityPrivilege	3236	Server.exe
Token: 33	3396	Server.exe
Token: SeIncBasePriorityPrivilege	3396	Server.exe
Token: 33	3624	Server.exe
Token: SeIncBasePriorityPrivilege	3624	Server.exe
Token: 33	3768	Server.exe
Token: SeIncBasePriorityPrivilege	3768	Server.exe
Token: 33	3040	Server.exe
Token: SeIncBasePriorityPrivilege	3040	Server.exe
Token: 33	2836	Server.exe
Token: SeIncBasePriorityPrivilege	2836	Server.exe
Token: 33	3504	Server.exe
Token: SeIncBasePriorityPrivilege	3504	Server.exe
Token: 33	3668	Server.exe
Token: SeIncBasePriorityPrivilege	3668	Server.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
2796	Server.exe
2124	Server.exe
2784	Server.exe
1836	Server.exe
2324	Server.exe
1076	Server.exe
1840	Server.exe
2620	Server.exe
1416	Server.exe
892	Server.exe
2864	Server.exe
276	Server.exe
2836	Server.exe
2132	Server.exe
1652	Server.exe
788	Server.exe
2124	Server.exe
1992	Server.exe
2636	Server.exe
1812	Server.exe
632	Server.exe
1648	Server.exe
2860	Server.exe
3236	Server.exe
3396	Server.exe
3624	Server.exe
3768	Server.exe
3040	Server.exe
2836	Server.exe
3504	Server.exe
3668	Server.exe
3880	Server.exe
3456	Server.exe
3648	Server.exe
3112	Server.exe
3588	Server.exe
3532	Server.exe
3592	Server.exe
3508	Server.exe
3528	Server.exe
4152	Server.exe
4324	Server.exe
4468	Server.exe
4664	Server.exe
5008	Server.exe
4172	Server.exe
4464	Server.exe
4660	Server.exe
5088	Server.exe
4172	Server.exe
4548	Server.exe
4216	Server.exe
4596	Server.exe
4472	Server.exe
5092	Server.exe
4276	Server.exe
4696	Server.exe
5384	Server.exe
5580	Server.exe
5884	Server.exe
6056	Server.exe
3624	Server.exe
5624	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2512	328	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	30
PID 328 wrote to memory of 2512	328	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	30
PID 328 wrote to memory of 2512	328	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	30
PID 328 wrote to memory of 2512	328	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	30
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2512 wrote to memory of 2192	2512	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	31
PID 2192 wrote to memory of 1996	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	32
PID 2192 wrote to memory of 1996	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	32
PID 2192 wrote to memory of 1996	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	32
PID 2192 wrote to memory of 1996	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	32
PID 2192 wrote to memory of 1996	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	32
PID 2192 wrote to memory of 2768	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	33
PID 2192 wrote to memory of 2768	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	33
PID 2192 wrote to memory of 2768	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	33
PID 2192 wrote to memory of 2768	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	33
PID 2192 wrote to memory of 2768	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	33
PID 2192 wrote to memory of 592	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	34
PID 2192 wrote to memory of 592	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	34
PID 2192 wrote to memory of 592	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	34
PID 2192 wrote to memory of 592	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	34
PID 2192 wrote to memory of 592	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	34
PID 2192 wrote to memory of 2148	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	35
PID 2192 wrote to memory of 2148	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	35
PID 2192 wrote to memory of 2148	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	35
PID 2192 wrote to memory of 2148	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	35
PID 2192 wrote to memory of 2148	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	35
PID 2192 wrote to memory of 2012	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	36
PID 2192 wrote to memory of 2012	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	36
PID 2192 wrote to memory of 2012	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	36
PID 2192 wrote to memory of 2012	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	36
PID 2192 wrote to memory of 2012	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	36
PID 2192 wrote to memory of 2720	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	37
PID 2192 wrote to memory of 2720	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	37
PID 2192 wrote to memory of 2720	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	37
PID 2192 wrote to memory of 2720	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	37
PID 2192 wrote to memory of 2720	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	37
PID 2192 wrote to memory of 2728	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	38
PID 2192 wrote to memory of 2728	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	38
PID 2192 wrote to memory of 2728	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	38
PID 2192 wrote to memory of 2728	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	38
PID 2192 wrote to memory of 2728	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	38
PID 2192 wrote to memory of 2808	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	39
PID 2192 wrote to memory of 2808	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	39
PID 2192 wrote to memory of 2808	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	39
PID 2192 wrote to memory of 2808	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	39
PID 2192 wrote to memory of 2808	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	39
PID 2192 wrote to memory of 2820	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	40
PID 2192 wrote to memory of 2820	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	40
PID 2192 wrote to memory of 2820	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	40
PID 2192 wrote to memory of 2820	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	40
PID 2192 wrote to memory of 2732	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	41
PID 2192 wrote to memory of 2732	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	41
PID 2192 wrote to memory of 2732	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	41
PID 2192 wrote to memory of 2732	2192	JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe	41
PID 2732 wrote to memory of 2796	2732	Server.exe	42
PID 2732 wrote to memory of 2796	2732	Server.exe	42
PID 2732 wrote to memory of 2796	2732	Server.exe	42
PID 2732 wrote to memory of 2796	2732	Server.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60346d6d7471ce30de99997efaf63006.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      PID:1996
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2896
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        20⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        23⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        26⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        27⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        28⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        29⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        31⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        32⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        33⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        34⤵
        Adds Run key to start application
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        35⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        36⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        37⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        38⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        39⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        40⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        41⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:1516
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:756
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        20⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        21⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        23⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        26⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        27⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        29⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        31⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        33⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4596
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        37⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        38⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2092
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        
        PID:2040
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2172
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:1540
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        
        PID:392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        19⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        20⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        22⤵
        Drops file in System32 directory
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        23⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        24⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:4712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        26⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:3760
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3668
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3812
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3880
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3532
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        15⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4660
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        17⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:3484
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        14⤵
        
        PID:4252
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:4656
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4664
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:4276
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        11⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5384
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:5448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5884
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5624
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        20⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        21⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:5736
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        23⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        24⤵
        Modifies registry class
        
        PID:6096
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        25⤵
        Adds Run key to start application
        
        PID:5140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        27⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        29⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        30⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:6788
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        31⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:6844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        32⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        33⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        35⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        36⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7080
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        37⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        38⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        39⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        40⤵
        Adds Run key to start application
        
        PID:7016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        41⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        42⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7500
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        43⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:8056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:8084
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:4572
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5580
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6056
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        14⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        15⤵
        Checks BIOS information in registry
        
        PID:5912
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        17⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        18⤵
        Checks BIOS information in registry
        
        PID:2116
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        19⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        20⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        23⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        24⤵
        
        PID:6532
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:5628
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:5168
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        
        PID:6096
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Checks BIOS information in registry
        
        PID:5876
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        14⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        15⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        
        PID:5220
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        13⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        14⤵
        
        PID:6620
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:6856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        11⤵
        
        PID:6628
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:7024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:6684
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:6692
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:7016
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:7076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        9⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:6888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6392
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Adds Run key to start application
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Checks BIOS information in registry
        
        PID:7204
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        
        PID:7736
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:7792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:8064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:8092
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:6972
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:6936
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        11⤵
        
        PID:7216
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:6668
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7384
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:7392
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        
        PID:7900
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:7972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8100
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2796
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        22⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        25⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        26⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F827973E.TMP

Filesize
25B

MD5
74c7f15f70e3cc50139cc6b798d57feb

SHA1
c5c58d8003d6d8eb3bf30b93cd87b5600856a988

SHA256
35f0ac141abdb905adacede4d8987205f51148fe59b15b17ff0d66334271207d

SHA512
40f2a4f5ebb5f79efbab3c426b8e2e3164b4a9b199977b8617d692f739ab6d6309ac40b2f598fc2e318806ffa8602a6c965d70e18d53d152fedd2bc781f7df5e

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
279KB

MD5
6e22401d0ddf1c0dad52627a1d997c40

SHA1
da2116a7121fad6c64b232f1345b55f371d4ffd5

SHA256
64de58517b149c10c497f0312230706398d9fd090d382e433a5408b293b81434

SHA512
650143d6902641bdd8c787133dff4d7b7a9cc48d7bc8ef4d4c8614df75f7912781aa074bd981e5a9520c69ddb3cd7178ce197f4da261d50e301877f21fd981b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\699c4b9cdebca7aaea5193cae8a50098_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
79d4a60cff7ff3053b33e1c43e662ea1

SHA1
5454cef04080bcc009c63daf88dfe948a3dcbb9c

SHA256
557b3fbd62fd84f5aefae950790ae7a852604ed5af8c498385ec3033d80ce1fe

SHA512
31e9c46648b97db17a6cb04de969395bb256ca9e7e8177a9ccbab9084807881ddee1eb7c6b64046b76d9a5a03d6687986ce520aac19444789faf8cb1e75ac13c

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe

Filesize
279KB

MD5
60346d6d7471ce30de99997efaf63006

SHA1
97edc6484b68609a483950fc88dbc8fd885997d1

SHA256
5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb

SHA512
f8dcc57e1662e45fa3b7bb69569113e5a863a6ff6c84ab6eed28982e8bac6d5fb722595450e0509d996654b72481fa15383a5344a3d401f57ca575c8620771e7

Download Submit
memory/1996-32-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2124-105-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2124-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2124-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2124-92-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2124-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2192-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-22-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-13-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-23-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-12-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2192-21-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2512-0-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2512-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2512-18-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2512-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2512-8-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2512-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2784-118-0x00000000003A0000-0x00000000003C5000-memory.dmp

Filesize
148KB

Download
memory/2796-48-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2796-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2796-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2796-62-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2796-39-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2796-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads